polygraphus - Fotolia

DDoS attack threat cannot be ignored

Criminal activity has become the top motivation for distributed denial of service attacks as the average attack become strong enough to down most businesses – so taking no action is not an option

Distributed denial of service (DDoS) attacks are becoming a genuine threat to companies with an active online presence.

Originally, such attacks were seen as little more than an annoyance, but with more and more companies evolving into online services, they are having major repercussions. It is now not a case of if a company will be hit by a DDoS attack, but when.

In a DDoS attack, a digital service or website is forced offline by being overwhelmed with process requests from multiple sources. This presents a major challenge to ensure people can access data and services online. 

The size and frequency of DDoS attacks are also on the increase. According to Arbor Networks’ annual Worldwide Infrastructure Security Report, the largest attack reported in the past year was 500Gbps, representing a 60 times increase in 11 years.

“What is significant is that the average of just under 2Gbps, which we see across tens of thousands of attacks, is enough to overwhelm most business internet connections,” says Gary Sockrider, principal security technologist at Arbor Networks.

The Irish National Lottery and several Irish government websites were recently knocked offline by DDoS attacks, preventing people from buying lottery tickets over the internet. Similarly, the BBC website was taken down by a DDoS attack last year, and its associated iPlayer media platform was unavailable during that time.

The website for a Manchester casino was also taken offline by a DDoS attack before the owners were contacted by the perpetrators, who demanded a ransom in bitcoin.

“In many ways, a company may not even realise it is under a DDoS attack, because it manifests itself in very strange ways,” says Mark Crosbie, trust and security manager, Europe, Middle East and Africa, for Dropbox. “They may see an uptake in service request tickets or see a million logging into services. It will not be clear what is happening until someone does some route-cause analysis.”

Users unaware

DDoS attacks typically require hundreds of computers working in conjunction with each other, often with their users unaware, due to malware installed on their machines. It is not just computers that can be part of a DDoS network; anything that has a processor and an internet connection – such as a network router – can be involved.

Generally, most DDoS attacks work by overwhelming the web server through sheer volume of traffic. However, there are other mechanisms that can achieve a similar effect. One technique is to place excessive demands on a website’s search function. If that function is ‘very expensive’ (in terms of system resources), then the perpetrators will not require as many entities in their DDoS attack.

“Even a small number [of computers] can be used to take the site down,” says Wolfgang Kandek, chief technical officer for Qualys.

Read more about DDoS attacks

One of the reasons why DDoS is such a significant threat is the relative simplicity of arranging an attack. There have been reports of a DDoS attack being hired as a ‘service’, sometimes for as little as £10. The distributed nature of DDoS attacks, combined with the anonymous nature of the internet, means the instigators are rarely caught.

To have an appropriate level of planned safeguards in place for a DDoS attack, companies need to assess how much of their revenue is generated through their website. This revenue can range from orders taken online or appointments being booked, through to sales of digital goods and ordering of online services.

Naturally, the ratio of digital revenue to physical sales (shop, telephone, and so on) will determine the appropriate level of response and preparation. As a worst-case scenario, companies should also plan how they would continue to operate if their website went down.

Sensible strategy

If the ratio of digital revenue is comparatively small, with the website essentially acting as a place-holder for the company on the internet, a sensible strategy might be to simply wait for the attack to abate.

But for companies with a high ratio of digital revenue, it may be prudent to use a company that offers DDoS protection services, such as CloudFlare. Such companies essentially act as a buffer for a customer’s website.

They employ sensitive networks that can absorb large attacks by using their application firewall, and can also detect attacks and drop the bad traffic more efficiently than a conventional firewall.

The average DDoS attack of just under 2Gbps, which we see across tens of thousands of attacks, is enough to overwhelm most business internet connections
Gary Sockrider, Arbor Networks

At the very least, companies should have access control lists in place, as well as the ability to rate-limit incoming traffic from certain IP regions.

It is also advisable for companies find out in advance from their service provider and web-hosting company who they should contact in the event of a DDoS attack, and what measures the hosting company can take.

Streamlining the functionality of a website, making it as efficient as possible in terms of processing power, is an important consideration. Not only does this encourage best practice in coding, but it will also mitigate the risk of DDoS attacks overwhelming the website through search queries.

Fail-tolerant service

“If you are going to have your systems operate at scale on the internet, you have to build your service in a fail-tolerant manner,” says Crosbie. “This means that if parts of your service become unavailable for whatever reason, your service can continue to operate. Users can then continue to use your service, even as you are working in the background to address the issues coming up.”

There are also monitoring tools available – such as the DDoS Sensor in Andrisoft’s WanGuard enterprise-grade software – that allow constant monitoring of a website’s status. Such tools can also send alerts if they ever detect that the customer’s website is unavailable.

However, even the best firewalls and threat managers are wasted if the rules for them are inadequate. Companies should constantly test their systems to ensure they are robust and secure.

No matter what steps are taken to limit the risk, DDoS attacks will never be completely prevented. But making the necessary preparations will reduce the duration and the damage that these attacks can cause.

In many ways, a company may not even realise it is under a DDoS attack, because it manifests itself in very strange ways
Mark Crosbie, Dropbox

At the first sign of a DDOS attack, companies should immediately call their web-hosting company to inform them that the website is down and they suspect a malicious attack. “That is where some of the difficultly lies – in figuring out what is malicious and can be turned off, and how capable your service provider is in turning this off,” says Qualys’ Kandek.

Absorbing the attack is the simplest response to DDoS. It requires bringing more processor power online to support the affected server, but this depends on the resources being available.

Blocking malicious attacks is the most effective response, but this requires network specialists to analyse the incoming traffic and identify the malicious requests. There is also the danger of blocking legitimate requests that are not part of the DDoS attack.

Switching to a different network is another tactic, but this will only delay the DDoS attack, rather than block it. The duration of the delay depends on how aware the instigators are of the mitigating strategies being employed.

“Prolexic [now part of Akamai] are specialists with this kind of thing,” says Kandek. “They have a really good understanding of the internet, so it would be difficult to overwhelm. They also have expertise and in-house built devices that allow them to find bad traffic and then drop it efficiently.”

Defence in depth

IT infrastructure consultant Simon Orchard says: “The sensible way is defence in depth with different edge firewalls. By that I mean two different sorts, one after the other – say a Cisco followed by a Juniper, for example. This means that your attacker has to know two operating systems.

“An internet-facing threat management system, such as Microsoft Forefront Identity Manager, can also do traffic analysis on what is coming in.”

DDoS attacks are not just an external phenomenon. Internal attacks can happen if malware has been installed on machines within the company’s internal network. To avoid this, companies need to conduct routine security scans of their computers and networks, as well as ensuring their servers are patched with the latest security updates.

“IT departments need to be aware that [DDoS attacks] can come from internal or external [sources],” says Hervé Dhélin, worldwide marketing director at EfficientIP. “If internal, you have to check the network security against malware installation or malware processes.”

Tarnish its reputation

DDoS attacks are a genuine threat to companies and their ability to conduct business. Even an attack that has no impact on a firm’s trading could still tarnish its reputation and make customers question the robustness of its security policies.

“All this costs money, so your first step is a risk analysis – how worried are you by DDoS and what is the impact?” says Orchard. “For example, you would expect NHS Symptom Checker or Amazon to be very worried, but Bert’s Dog Treats less so.

“Doing something rather than nothing should be considered by everyone, but multiple layers of security are only necessary for a few.”

Dropbox’s Crosbie adds: “I see the sophistication of the attacks growing and I see the targeting improving. This is going to continue as a factor of doing business on the internet, and companies need to adapt to that.”

Read more on Hackers and cybercrime prevention