Thursday, July 25, 2019

DDoS Attack Mitigation Understanding DoS and DDoS Attacks

What is a DoS attack? What is a DDoS attack? What’s the
difference? How are they created? What are their strengths and
weaknesses? Before discussing any survival techniques, you must
first understand from what you are trying to survive.
To provide a figurative example of a DoS attack, imagine yourself
walking into a bank that only has a single teller window open. Just as
you are about to approach the teller, another person rushes into the
bank and cuts in front of you. This person begins making small talk
with the teller, and has no intention of performing any bank-related
transactions. As a legitimate user of the bank, you are left unable
to deposit your check, and are forced to wait until the “malicious”
user has finished his or her conversation. Just as this malicious user
leaves, another person rushes into the bank, again cutting to the front
of the line ahead of you and forcing you to keep waiting. This process
can continue for minutes, hours, even days, preventing you or any of
the other legitimate users who lined up behind you from performing
bank transactions.

During DoS attacks, attackers bombard their target with a massive
amount of requests or data – exhausting its network or computing
resources and preventing legitimate users from having access. More
simply, a DoS attack is when an attacker uses a single machine’s
resources to exhaust those of another machine, in order to prevent
it from functioning normally. Large web servers are robust enough to
withstand a basic DoS attack from a single machine without suffering
performance loss (imagine if the bank in the above example had many
teller windows open for you to use to avoid waiting for the busy one).
However, attackers will often carry out DDoS attacks, which employ
multiple machines for increased effectiveness, in effect, by trying to
tie up all of the tellers at all of the open windows. In that scenario, it
can often be harder to detect and block attackers manually, so special
defenses are necessary to detect and defend against such large-scale
attacks. Additionally, attackers almost never legitimately control
their attacking machines; rather, they infect thousands of computers
spread across the world with specialized malware in order to gain
6unauthorized access to such machines. A collection of hundreds or
thousands of compromised machines acting as an army under the
control of one attacker is called a “botnet”, and oftentimes the actual
owners of machines that are part of a botnet are unaware that their
computers have been compromised and are being used to launch
DDoS attacks.


Amassing a Botnet

In order for attackers to create large botnets of computers under
their control (referred to colloquially as zombies), they have two
options: the more common option of using specialized malware to
infect the machines of users who are unaware that their machines
are compromised, or the relatively newer option of amassing a large
number of volunteers willing to use DoS programs in unison.
In the former scenario (by far the most common), attackers will
develop or purchase from various underground cyber crime forums
specialized malware, which they spread to as many vulnerable
computers as possible. Any users tricked into running such malware
will often disable antivirus functionality on their computer, and install
a “backdoor”, or access point, for attackers. Infected computers
begin accepting communications from “command and control” (C&C)
servers, centralized machines that are able to send commands to
botnet machines, usually by means of Internet Relay Chat (IRC), a
communication protocol designed for chat rooms. Anytime attackers
want to launch a DDoS attack, they can send messages to their
botnet’s C&C servers with instructions to perform an attack on a
particular target, and any infected machines communicating with the
contacted C&C server will comply by launching a coordinated attack.
When law enforcement officials attempt to dismantle a botnet, it
is often necessary to locate and disable C&C servers, as doing so
prevents most botnets from remaining operational. One particular
botnet that was dismantled in 2010, called “Mariposa” (Spanish
for “butterfly”), was found to contain nearly 15.5 million unique IP
addresses around the world with many associated command and
control servers. 2 More recent and advanced botnet software such as
TDL-4, however, has implemented special inter-bot communication
abilities over public peer-to-peer networks to help circumvent efforts to
dismantle botnets solely through the disabling of C&C servers.




In the case in which many computers are voluntarily acting in
unison, hackers sponsoring an attack will publish its details via a
social networking site or an IRC channel, including a date and time,
a target IP or URL, and instructions on which of the available attack
tools to use. Some attack campaigns following this model have
succeeded in recruiting many supporters. The main drawback for such
voluntary, coordinated DDoS attacks, however, is that the majority
of the attack tools used does not mask their users’ identities. One
such tool, Low Orbit Ion Cannon (LOIC), was notorious for this – many
LOIC users failing to use external means to hide their IP address
have been located and arrested by the FBI and other law enforcement
organizations around the world for participating in coordinated
voluntary attacks. News of these recent arrests may deter some new
users from opting to participate in such voluntary, coordinated attacks.


Launching an Attack

With the exception of amassing a botnet, launching a DDoS attack
is not a particularly difficult task to carry out, even for a non-technical
individual. Users do not need to create their own botnets in order
to launch large-scale attacks, as various dedicated pay-for-hire DDoS
services are available for anyone to use. Anyone using such a service
can launch a powerful DDoS attack on a target of their choice for
anywhere from $5 to $200 per hour, depending on the attack size and
duration.
8Business Impact
Various surveys on DDoS attacks have highlighted interesting
facts on the impact of DDoS on targeted companies. According to
a Neustar survey, 70% of the surveyed companies were victims of a
DDoS attack that caused some level of damage. 3 While DDoS attacks
may have had more industry-specific targets in the past, such attacks
target all sectors today – financial services, governments, online
retailers, and online gaming, among others. The following diagram
taken from Radware’s 2011 Global Application and Network Security

Report 4 illustrates this trend.



The business impact of a DDoS attack is substantial, and can affect
a victim over a period of time depending on the extent of the attack.
According to both the Neustar and Radware reports, the DDoS attacks
perpetrated in 2011 lasted anywhere from several hours to several
days, with an average duration of about 24 hours. The effects from
a DDoS attack can vary depending on the sector a target company
belongs to and the volume of its online business. Often, these effects
are both qualitative and quantitative, and can involve financial losses,
reputational damage, and legal repercussions.

Financial Losses

The cost to an organization when its Website experiences downtime
varies significantly depending upon the sector to which that particular
3 Neustar Insight – DDoS Survey Q1 2012
4 2011 Global Application and Network Security Report
9organization belongs. The Neustar survey found that organizations
depending mainly or exclusively on the Internet for their business
(notably online retail or gaming sites) estimated an average daily
revenue loss of $2,000,000 – nearly $100,000 per hour – in the case
of downtime, while other sectors, such as financial services, report a
smaller yet significant average loss of $10,000 per hour in the event
of downtime.

This calculation takes into account a few different elements: the
cost of the attack itself, revenue loss from customers’ and potential
customers’ inability to access the Website, time spent answering
customer support calls, and possible additional financial penalties.
Most serious attackers carefully plan their attacks, striking during
critical periods for their target Website, for example during the holiday
shopping season for an online retailer.

The wave of DDoS attacks that targeted major Websites such as
Yahoo and Amazon in 2000 was estimated cumulatively to have
cost over $1.2 billion in damages. 5 The total cost of the more
recent attacks on Sony’s Websites remains unclear and is difficult to
estimate. Over $170M has been spent by Sony for cleanup related
to the DDoS attack and loss of data, but some analysts estimate an
ultimate cost of hundreds of dollars to Sony per each one of the 77
million compromised user accounts – amounting to billions of dollars
in damages. 6 Regardless of analyst estimates, one thing is clear:
the cost incurred by an organization that is not adequately protected
against DDoS attacks can be exorbitantly high.

Customer Attrition

The most significant business impact outlined by surveyed companies
is that related to its customers. A customer who attempts to access
an organization’s Website but is unable to do so because of downtime
cannot buy anything, access information, or generally use any services.
If he or she is unsatisfied, complains, requests for financial restitution,
or even increased business for competitors may result.

According to the American Express 2011 Global Customer Service
Barometer, consumers spend more money wherever they have a

Google engineers have discovered t the average online customer
is not willing to wait an extra 400 milliseconds for a page to load
– “literally the blink of an eye” as per a New York Times article8.
Online customers require quick access to information, and according
to Microsoft, would visit a Website less often if it is slower than that
of its competitors by more than 250 milliseconds. 8 Consequently,
a DDoS attack that prevents the targeted company’s Website from
providing adequate service to its users can result in customer
dissatisfaction, angry support calls, and even customer attrition.
Reputation Loss

Businesses want to make headlines by showing off merits and
achievements. Management teams dislike being forced to admit
vulnerabilities in the media. When it becomes publicly known that a
company has been a victim of a cyber attack that has compromised
its customers and their data, the ensuing bad publicity can have
devastating effects on both reputation and future sales. Any company
falling prey to hackers becomes an example of “what not to do”, and
the ensuing fallout often involves replacing the IT team that allowed
the disruption or break, corporate rebranding, and expensive public
relations to regain the trust of the public.
Legal Pursuits

Customers affected by the unavailability of online services who can
prove that they suffered damages may attempt to pursue financial
restitution by means of filing a lawsuit, often arguing that the company
did not take enough precaution against the possibility of such an
attack. In one example, a major stock exchange, hit by a DDoS attack
in 2011, was forced to suspend trading and pay penalties to trading
firms to compensate for their inability to provide normal service.

Conclusion

The ability of an organization to protect itself against DoS and
DDoS attacks is essential for its success. Without proper protection
mechanisms, an organization targeted by a DoS or DDoS attack is
likely to experience financial loss, reputational damage, and legal

expense – all of which are likely to permanently affect its future.

0 comments:

Post a Comment