For a long time, the trends in DDoS have been towards a higher frequency of attacks and larger aggregate attacks. But more recently, there has been a significant trend towards the use of DDoS as part of multi-vector attacks, as a masking agent or enabling vector, where the intent has not been to take a target organisation offline but to carry out more sinister and potentially damaging activities.
DDoS is being used to distract security personnel and degrade defences, such as firewalls and intrusion detection. We’re seeing a rise in data breaches and leaks where DDoS was a key tool in the attack – and this is something that will continue to increase, explains Dave Larson, COO for Corero Network Security in this interview.
This is has been happening for quite some time – longer than we probably think. It’s just that we haven’t had the tools to detect it before.
Such attacks typically involve sub-saturation techniques. “The vast majority of DDoS vectors in use are likely never to cause an outage,” says Larson, “so they have to be doing something else.”
Any organisation that sees an attack, particularly one that doesn’t take them down – a kind of “brown out” as Larson refers to it – should be paying close attention to their logs to see if something more sinister was going on.
Sub-saturation attacks can be mounted without the need for significant resources, such as botnets, bringing them within the reach of a very wide range of actors. Reflected attacks in particular – using NTP or DNS servers, for example – can be effected with very modest means.
“The reality is that anyone with a phone can download an app that will launch a DDoS attack … it’s available to anyone that wants to launch this kind of exploit,” says Larson.
To carry out a sub-saturating attack while ensuring you leave enough bandwidth to carry out your intended activities, such as data exfiltration, requires careful judgment and a deep understanding of the target’s networks.
ISP- or cloud-based solutions are likely to be ineffective, Larson claims, because they work by spotting large, high-bandwidth anomalies.
In order to fully understand your networks and your capability to withstand an attack – to ensure they don’t fully saturate – the attackers will carry out a significant amount of probing and footprinting prior to the attack. Your anti-DDoS defences have to include the ability to spot that kind of activity, although it isn’t always easy to distinguish it from the background noise of constant scanning that goes on. That’s why it’s a good idea not to tolerate this kind of activity at all, says Larson.
Most enterprises view DDoS as an availability problem – after all, it’s called ‘denial of service’. But Larson feels we should start seeing this specifically as an information security issue.