Distributed Denial of Service, otherwise known as DDoS, attacks have become more prominent lately in today’s news. What exactly is a DDoS attack? This particular cyber crime involves blasting targeted servers with traffic and information requests until websites crash, denying access to one or more users. The amount of damage and chaos that a DDoS attack can cause against unprotected or vulnerable targets depends on the size and importance of the target servers. A 2014 report by Incapsula found that companies in North America had an average cost of $500,000 for every attack. In May 2017, Neustar released a survey estimating that these costs had risen to $2.5 million per incident. On March 6th a record breaking 1.7 Terabits per second (Tbps) DDoS attack was made against an unidentified service provider in the United States, according to security firm Arbor Networks. This breaks another record set only last week by a 1.3 Tbps attack on GitHub. Back in October 2016, a 1.2 Tbps DDoS assault against Dyn, a company that controls much of the internet’s domain name system (DNS), crashed the servers of many sites across the United States and Europe, including Netflix, Twitter, Reddit and news channels like CNN and the New York Times. The DDoS cyber threat continues to evolve, increasing in terms of both frequency and intensity. Here’s a history of the evolution of DDoS attacks, how to best respond, and how to protect yourself from these attacks.
An Evolving Threat
The history of DDoS attacks stretches back 24 years, with the first registered incident occurring in 1974 when a 13 year old student used a simple “ext” command to temporarily lock up terminals at a University of Illinois laboratory. With the rise of the World Wide Web in the 1990’s, Internet Relay Chat (IRC) floods were used to force administrators to log off from a channel, allowing the attacker to take over and establish administrator privileges for themselves. In the late 90’s and early 2000’s more sophisticated tools began to emerge, providing the model foundation for future DDoS attacks. The Trinoo tool allowed attackers to take over a few computers with a wide network, creating a chain reaction of service denial that became known as a User Datagram Protocol (UDP) flood, with unsuspecting users participating in the attack. Other tools like “Shaft” and “Omega” would allow hackers to track the performance of their attack, allowing them to adjust tactics more effectively. Through the emergence of new methods and with the refinement of old techniques, hackers have kept up to speed with the fast-paced technological advances of recent times. Botnets, such as the famous Mirai botnet that attacked Dyn, are capable of leveraging thousands of devices to cause malware-induced system crashes. Storing systems known as memcache servers, are designed to speed up websites, and up to 100,000 of them are available for public use on the internet. In recent attacks however, hackers have also used these servers to increase the intensity of their attacks by magnifying data packets to overflow websites with information requests. Unfortunately for victims, it’s common for DDoS attacks to be accompanied by financial demands.
Prevent, Mitigate and Respond
Aside from the moral implications of paying ransom to hackers, companies could be exposing themselves to future attacks by other cyber criminals. Hackers tend to congregate at subject specific forums on the dark web, sharing (and bragging about) their deeds with other like minded individuals. If a company is identified as having been open to negotiations to stop any attacks, it is likely to face the same issues again from another source. For a DDoS attack to succeed, it needs to have more bandwidth than it’s target, so boosting and spreading your own bandwidth over several servers is a great way to fend off these digital assaults. The problem is that large scale DDoS attacks use sophisticated botnets that infiltrate bandwidth-rich third party servers and spoof their IP address to make it seem like they came from the victims system. Outbandwidthing a botnet can thus turn into an expensive proposition. DDoS attacks also frequently target DNS servers by taking advantage of open DNS resolvers, machines that translate a domain name into an IP address, allowing users to access a website. If these resolvers are left open, the server itself is vulnerable to attack. These resolvers should be configured to filter out queries from spoofed addresses. Content delivery networks decrease loading times by delivering information in a faster and more distributed way. Strong firewalls are essential, acting as a shield and sword against DDoS attacks, so companies should place skilled cyber security professionals in charge of setting up and monitoring firewall settings. The Department of Homeland Security’s DDoS Quick Guide lists different types of attacks and how to configure firewalls that help prevent or mitigate them. Firewall settings should be configured to filter for UDP, ICMP and SYN floods by monitoring connections for strange proxy requests from different DNS servers. SYN packets are necessary for TCP communication (opening and visualizing a website), but can crash the target with excessive connection requests. To prevent this, a solid firewall will limit the number of SYN’s per second (by IP address and destination), controlling inbound and outbound traffic and presenting a stiffer barrier to any DDoS threat.