Against DDoS attacks, an end-to-end approach needed
By Gabey Goh November 19, 2012
- DDoS is a serious, business-impacting issue for any enterprise and a multi-layer control strategy must be implemented
- 'Enterprises are only as strong as the weakest link,' says Tata’s Hemmendinger
A RESURGENCE of large scale distributed denial of service (DDoS) attacks targeted mainly at financial institutions this year has put the heat on organizations around the world to ensure they are protected against the possibility of attack.
A blunt but effective method, DDoS attacks are an attempt to make a machine or network resource unavailable to its intended users.
October saw reports of crushing blasts of 65Gbps traffic, aimed at organizations such as Bank of America, Wells Fargo, US Bank, JP Morgan Chase, Sun Trust, PNC Financial Services, Regions Financial and Capital One.
An Islamic group called the Izz ad-Din Al-Qassam Cyber Fighters was reported to have claimed credit for most of the distributed denial-of-service (DoS) attacks that started Sept. 18 with Bank of America. A hacktivist group associating itself with Anonymous also alledgedly claimed responsibility for the DDoS against HSBC that started Oct. 18.
However in an interview with Ellen Messmer of Network World, Mike Smith, senior security evangelist at Akamai expressed doubts over the originators of these attacks.
He stated that these attacks may have been simply a distracting mechanism to throw banks off guard while cyber-attackers went after bank employee computers with ZeuS Trojan malware and the like in order to be able to steal bank funds.
In an email interview with Digital News Asia (DNA) Eric Hemmendinger (pic), head of Managed Security Solutions (MSS) Product Management with Tata Communications said he has not seen specific evidence that the DDoS attacks are intended to divert scrutiny away from “straightforward crime.”
He added that the only evidence that would speak to this would come from the targeted institutions themselves. He declined to share with DNA other instances where ‘DDoS as a decoy’ attacks have been successfully executed.
“The most effective approach to addressing this risk is to put in place effective strategies for detecting and mitigating DDoS attacks,” he said.
According to him, organizations that have effective strategies in place – such as with external service providers – find that DDoS attacks are temporary distractions and therefore unlikely to shield or disguise other activity that is more targeted – such as breaching the organization’s data protection mechanisms.
When asked if he agreed that the world was currently at the stage of a cyber-arms race as noted by other security researchers, Hemmendinger said: “An arms race is a build-up of capabilities. A war is the use of the capabilities. The capabilities are in use – so this is most accurately described as a cyber-war, or a series of cyber battles.”
Regardless of whether the attacks motive was political or criminal, Hemmendinger said the company strongly encourages businesses to directly address the DDoS risk. Having solved it, they are then able to more directly address the potential attacks that DDoS is perceived as disguising.
“Put another way, if you believe DDoS is the disguise, deal with it and then focus on the bigger issue. Our customers are dealing with both DDoS and the more targeted attacks without regard to whether DDoS is intended as a distraction. In its own right DDoS is a serious, business-impacting issue for these businesses. That’s why they address the problem.”
Safeguarding the enterprise
According to researchers from DDoS mitigation vendor Prolexic, DDoS attacks with an average bandwidth of over 20Gbps have become commonplace this year.
Prolexic's president Stuart Scholly said in 2011, such high-bandwidth attacks were isolated incidents, but attacks that exceed 20Gbps in bandwidth occur frequently now.
In a survey conducted by the Ponemon Institute and Radware which polled 700 senior IT professionals, 65% of organizations experienced an average of three DDoS attacks in the past 12 months, with an average downtime of 54 minutes per attack.
With the cost for each minute of downtime amounting to as much as US$100,000 per minute –including lost traffic, diminished end-user productivity and lost revenues – DDoS attacks cost companies about US$3.5 million dollars every year.
Hemmendinger shared that there are several techniques an organization could consider to defend itself against DDoS attacks:
- Invest in a tool which can identify and filter all the DDoS traffic as well as divert it in to a black hole where the traffic is discarded.
- Using routers and firewalls which can filter all nonessential ports and protocols.
- Utilizing Intrusion-Detection System solutions to identify and block the attacks in progress.
- One of the most important techniques is proper configuration of server applications, where the administrator can have a control on the quality and access to the bandwidth which a customer can utilize.
- Some organizations build DDoS mitigation functionality into devices which acts as load balancing or firewalling. The server infrastructure should be robust enough to handle some illegitimate traffic if this technique is been implemented. This is not a full proof technique to prevent an attack.
- A DDoS attack spikes the demand on a bandwidth; the most cost effective technique to prevent an attack for an organization is to have an excess bandwidth or a redundant network device.
However, Hemmendinger stressed that none of the above techniques are directly and successfully responsive to DDoS attacks on any significant scale, adding that other security solutions or over-provisioning strategies ignore two key issues.
“Firstly, a device that is not specifically designed for DDoS will eventually be overwhelmed, Secondly, an attacker can more easily increase the scale of an attack in real time than a defender can increase the scale of their defenses. This is why none of the above methods are directly and successfully responsive to DDoS attacks on any significant scale,” he said.
Hemmendinger stated that the only thing that addresses DDoS attacks on a significant scale are mitigation services that shift traffic to filtering and scrubbing infrastructure and then return clean traffic to the enterprise.
“As a company would not know in advance about the DDoS attack, a multi-layer control strategy should be implemented. Many enterprises also outsource it to managed service providers, as they can have multiple services without investing heavily in building the required infrastructure,” he said.
It’s not just banks
According to Hemmendinger, DDoC attacks may vary, observing that hackers have recently attacked government sites, sport sites, news portals, telecommunications companies, online gaming and e-commerce sectors.
“There are many of these sectors who use the internet as a source of customer satisfaction as well as for their revenues. Smaller organizations would not have enough revenues to over-provision their capacity and such organizations become easy targets for hackers,” he said.
“These attacks tend to consume a lot of bandwidth and application-level resources of an organization. Generally these attacks take place for a cyber-scam, theft or damaging a company’s image with its customers,” he added.
Hemmendinger explained that DDoS attacks target websites, hosted applications or network infrastructures by absorbing all available bandwidth and disrupting access for legitimate customers and partners. These attacks can halt all the critical operations damaging a company’s reputation. As a result, an organization can run into losses.
“As the attacks become more sophisticated and take up higher bandwidth volumes, few enterprises have networks with the capacity to withstand them. Enterprises are only as strong as the weakest link,” he said.
“An attack on one company could be used to perpetrate an attack on a second company. With DDoS attacks now being used as a decoy, it has now also become critical to look at the entire attack from end-to-end,” he added.
For the next 12 months and beyond, Hemmendinger believes that web-application-focused attacks will continue to be a big focus for vendors.
“These attacks are very difficult to detect as well as prevent; a lot of the illegitimate traffic coming in is similar to the legitimate traffic,” he said.