What is DDoS?
A DDoS (Distributed Denial of Service) attack is a type of cyberattack that is intended to disable a website or server and prevent it from being used in the way that was intended.
This type of attack usually takes the form of access congestion, blocking legitimate users from accessing the website that’s under attack by swamping it with many thousands of fake users, overwhelming its ability to cope. Think of a shop that is suddenly invaded by hundreds of people who have no intention of shopping there; the real customers cannot get into the shop, let alone buy anything.
DDoS attacks use many different techniques for creating this sort of congestion. The two techniques most commonly used are known as botnets and amplification attacks.
Although it sounds like just one thing, a botnet is actually a group of devices (often numbering in the hundreds of thousands) that have been hijacked by the use of malicious code (malware) and ordered to disrupt the target website by flooding it with requests for service.
Such attacks, known as flood attacks, are the more common form of DDoS attack at present.
This works by introducing malicious code into a server; the server is then instructed to generate multiple fake IP (internet protocol) addresses which send out a very large number of commands to the target website. This can rapidly overwhelm it. The technique is also known as ‘spoofing’.
When a machine has been compromised, it can spoof thousands of fake IP addresses. This means that an attacker can cause large-scale disruption and only needs to infect a small quantity of servers.
Dealing with DDoS attacks.
One of the main methods for handling a DDoS attack is to shift traffic to a third party who have expertise in sifting out fake and malign requests to websites. Think of it as having a person at the door of the shop, verifying that anyone trying to get in is a real customer.
Each third party will be able to cope with a large number of incoming requests but on their own, they may not be able to stop every single one. If they get more malicious requests than they can cope with, the target website may experience some disruption. This can sometimes be overcome by enlisting more than one third party.
How big is the problem?
Whilst DDoS attacks have been an issue for security companies for some time, the scale of the problem has increased dramatically in recent months. This means that any business using the internet needs to be aware of the increased likelihood and scale of such attacks.
Such businesses could include retailers who do a lot of their business online, companies who facilitate online video gaming, video streaming services, financial services and professional services organisations and government services.
It is also worth noting that DDoS attacks seem to be the weapon of choice for activist groups who may use them against organisations who have adopted a course of action with which the group disagrees.
What can be done?
There are several options available to businesses who want to avoid the full effects of DDoS attacks:
Many of the critical functions of an organisation tend to depend on centralised servers and data centres, which will most likely be heavily shared. This can make it easier for those who are planning DDoS attacks to identify the targets most vulnerable to intrusion.
A very good idea is to design structures that move critical functions so that they are not on centralised or shared servers, while ensuring that they still operate in a way that preserves the centralised approach.
When deciding how much bandwidth to lease, some large businesses will take considerably more than they actually need in order to allow for the natural expansion of their business but also to prepare for a DDoS attack. Going back to our shop example, imagine that the shop had opened up a huge warehouse space to handle the flood of fake customers.
A DDoS attack with insufficient traffic to overwhelm the extra capacity will not be effective in taking down a target website.
Businesses need to take a look at their systems and identify areas where they are weak to attacks. The resilience of systems can be assessed with controlled testing which will enable the organisation to review DDoS response mechanisms. They can also highlight deficiencies in the design of test scenarios, awareness of the ways in which DDoS attacks might be carried out and features that might have been overlooked in previous response mechanism design.
Operating in the same fashion time after time means that an organisation’s systems can become predictable and vulnerable to attack. Organisations should establish an agile approach that adapts and changes over time, thereby establishing a false front that will misdirect or disperse attacks.
Companies who make use of online streaming media should think about offering customers the opportunity to access services offline; this can overcome the problem that DDoS attacks tend to prevent uptake of products and services.
The ability to filter traffic in a more precise way can enable organisations to identify and analyse trends that may suggest an imminent attack. A geographic analysis can identify a traffic surge from a particular location that may raise suspicions. In a similar way, a sudden quantity of new traffic from a connection that has previously been inactive could signal that something is wrong.
However, both these examples also have innocent explanations and organisations need to be alert to the problems of identifying friend from foe.
If the attack is likely to be particularly large, the organisation can draft in assistance from their local telecommunications company to filter incoming traffic at the provider level.
Alan Hornby – CII accredited advanced trainer:
The UK is second only to the US in being targeted by distributed denial of service (DDoS) attacks. With DDoS for hire services available for minimal cost, there is the potential for anyone to initiate potentially devastating DDoS attacks. Almost anyone, regardless of their technical background, could take down sites and services by flooding them with huge amounts of data.Cyber security can no longer be viewed as an IT risk but has to be seen as a business risk.
rradar are able to provide technical training to brokers on cyber risks, liability and insurance so that they are equipped to discuss this important topic with their clients.
It’s easy to become complacent about cybersecurity and cyberattacks if it hasn’t happened to you. However, the odds that you will become a victim of such an attack are increasing year on year as the intensity of the attacks and the ingenuity of the attackers increase. Realistically, a relaxed attitude is a luxury that businesses can no longer afford.