How much do you understand DDoS attacks?

Cyberattacks have recently made headlines, which gets us thinking about how Ontario’s research, education and innovation community can be better informed and prepared to protect those in their institutions from such threats.

To help shed light on and demystify the nature of DDoS attacks, we interviewed one of our community partners specializing in web application security, Palomino Inc. Markus Latzel, Palomino’s CEO, approaches cloud security from a holistic approach, in order to offer comprehensive recommendations on next steps to take.

What exactly is a DDoS attack, and how is it different from a conventional attack?

DDoS stands for Distributed Denial-of-Service, which is a sophisticated form of a Denial-of-Service (DoS) attack. DoS attacks involve flooding a publicly accessible web server with such a large volume of page requests to “bring it to its knees,” literally causing it to deny general service. As a result, the service – say, a website or application – becomes unavailable to everybody, even legitimate users.

Yet, the intent between a DoS attack and a “conventional” attack is different.

DoS attacks primarily try to bring the service down. They rely on the fact that every web server has a limited capacity to handle requests. What’s important to know is that while the effect is very obvious to everyone, the actual server itself is usually not breached. This means that the hackers have not gained access to any company information.

Think of a highway: if there are suddenly thousands of cars going through one exit, eventually the exit will have to be shut down and become unable to serve the drivers passing through. It just can’t handle the capacity – there is, literally, a denial of service.

In contrast, a “conventional” attack has a goal to break into a server, and once in, execute code that is not intended nor in the interest of the organization. In some cases, the intent is to steal data, however in almost all cases, the intent is to gain control of the server for illegal activities.

Where does the “distributed” in DDoS come into play?

One obvious protection against regular DoS attacks is to adapt web servers to selectively deny service to “rowdy” IPs sending too many requests. Distributed-DoS attacks then counters this protection by using a large number of compromised IPs, in order to mount the DoS attack, so that there is virtually no way of differentiating authentic from faulty requests to block.

DDoS is much more sophisticated because the hacker would have had to synchronize a wide-scale attack, launching at the same time. Preparing a DDoS means doing the early work of quietly hacking into thousands of devices and lying dormant, so to speak, while it works into each device’s system to instruct it to launch an attack at the planned launch date and time. Then, once there are enough devices “ready,” the hacker will synchronize all of those devices to flood the targeted server with requests. Hence, the wide-spread attacks are “distributed.” It really is another level cyberattack, at a massive scale.

DDoS is similar to a bank robbery. In order to succeed, the criminals will need a getaway car with which to rob the bank. How do they do this? They steal one from a random driveway just before the heist. By the time the law-abiding citizen realizes his or her car has been stolen, the attack on the bank has already happened and the car is discarded in a ditch. In parallel, DDoS “steals” devices in order to use them for illegal activity. And unfortunately, the organization or device owner is often clueless that they’ve been used to orchestrate this attack.

Who is behind the DDoS or DoS attacks?

It is hard to tell, unfortunately. There is evidence that, at this point, there are different groups of hackers at work delivering pieces of the puzzle. For example, some groups are designing viruses in which the only goal is to scan the Internet for vulnerable PCs and infect them silently. They “gather an army of IPs,” so to speak. Once done, they sell these to other groups who, in turn, use them for the actual intended dirty work.

Groups behind a DDoS attack need to have funding to purchase banks of IPs and plan the attack. Typically, this is a very expensive endeavor and sometimes politically motivated and funded – that’s when we start to get into problems like cybercrime. 

However, what’s reducing the cost is the increased supply of vulnerable devices available to hack. With the Internet-of-Things (IoT), we are connecting many more devices with hackable operating systems – such as smart watches, Wi-Fi routers, webcams, and even coffee machines. Therefore, IoT security is a growing concern, as these devices can be hard to keep updated with security patches.

What can be done to protect our institutions?

Since DDoS can be mounted against any publicly accessible server, practically all websites can be attacked.

To protect publicly accessible servers, there are traffic monitoring tools and DDoS firewall services available, which usually operate by either maintaining a large database of blacklisted IPs or artificial-intelligence algorithms to spot and block suspicious traffic. No system is perfect and there is also the possibility of false positives – blocking legitimate users. Also, these kinds of solutions, while sophisticated, are quite expensive.

Another solution is to look at overall risk assessment, which should assess these questions:

  • What is the likelihood that anyone dislikes us so much that they would want to bring our organization down?
  • What would the attackers gain from the attack?
  • What is the likelihood that attackers can access the funding or criminal will to execute on their intent?
  • What is the damage of our organization’s down-time?
  • What are the appropriate strategies, given our budgets?

Based on the risk mitigation assessment, organizations can be better informed to take action, such as creating an effective Plan B or investing in protection solutions most suitable to the organization’s needs.

At the core, threats like these highlight the value of having dedicated, private infrastructure. Private infrastructure helps ensure that the people your organization serves are protected, and their data and work can continue on, unhindered over this network. If we think back to our highway analogy, having private infrastructure is akin to having an alternative, private route that is separate from public traffic and exposure to its risks.