For more than a decade, attackers have used distributed denial of service attacks to disrupt their victims' operations, often taking organizations completely offline. The motivations behind these attacks include notoriety, competitive advantage, cyber warfare, terrorism, hacktivism and/or extortion. Bandwidth- or resource-saturating DDoS attacks are effective, but today they are not the most common type of DDoS attack. Researchers are beginning to see a new motivation for the attacks they observe.

Today's DDoS attacks represent a much greater threat than the risk of an outage. Information breaches and the planting of malware are being hidden by a new attack vector called Dark DDoS. In order to effectively hide their tracks, attackers attempt to overwhelm security and logging tiers with smaller, repetitive DDoS attacks. The smaller attacks consume considerable time, attention, resources and log storage without filling the pipes. While everyone is focused on the DDoS incident, attackers are performing more insidious actions to breach and remain persistent in a network.

Attackers understand the kill chain in an organization. If an attacker who has compromised an internal system is detected, the security team (or another automated measure) invokes a kill chain mechanism. This mechanism kills the attacker's remote access by shutting down the system, or terminating the attacker's back door. If an attacker can maintain the access undetected, it allows them to move laterally, planting malware on systems they can access within a network, which often leads to a data breach or even fraud.

Many organizations have begun to deploy advanced threat detection technologies. These technologies use sandboxes that execute malware and other payloads they discover in the hopes of identifying the malware's intentions. Using network taps or span ports, collectors capture copies of traffic streams from various locations in the network, then forward the traffic to a sandbox for analysis. If an attacker finds a way to overwhelm a sandbox by flooding it with nothing more than malware samples, the sandbox may become inoperable or begin to ignore new traffic samples and possibly cause a sandbox denial of service.

Once an attacker has uninterrupted access to internal systems, using those systems to commit fraud is an easy hurdle to overcome. Attackers often install key logging malware on compromised systems to record a legitimate user's keystrokes. This type of malware forwards the keystrokes of anyone using the system to the attacker. Once an attacker has recorded a username/password combination that has an elevated privilege, they can mimic legitimate users, potentially causing a great deal of damage. All of this activity may be hidden during a DDoS attack.

What many fail to realize is that attackers understand security. Most of them are experts at firewalls, IPS, sandboxes, anti-virus software and other attack detection technologies. They also understand how to use these systems to their advantage. For example, most firewalls, IPS and load balancers have some sort of rudimentary DDoS detection in them. When attacking with a simple SYN flood, most of these technologies will create huge volumes of security (syslog) events. However, most of these devices are completely ineffective at blocking DDoS attacks and end up causing nothing more than an excess of event messages. Attackers understand that a low-volume SYN flood can create vast amounts of syslog events, and use this to flood logging tools in the hopes of hiding their other activity from security teams.

Another dark side of DDoS that is growing in popularity is called DDoS for Ransom. This should not be confused with ransomware that encrypts hard drives and file systems, then prompts the victim to pay for a key to decrypt the data. Instead, DDoS for Ransom always begins with a threat of a pending DDoS attack, most often delivered via email. In this case, a victim receives an email warning of a pending DDoS attack. The email instructs the victim to kindly deposit a number of bitcoins into an online account. If an organization pays, word has it that it will never be extorted by the same group again.

Nearly every organization is looking for a way to deploy the most effective DDoS defenses while at the same time reducing operational expenses associated with these attacks. Today's DDoS attacks are easy to defeat with the proper defenses in place.

Most DDoS subject matter experts recommend a hybrid approach to defeating DDoS. This approach includes on premise DDoS defenses working in unison with cloud-based defenses. The hybrid approach is the only way to completely protect an organization from the threats being hidden by DDoS attacks. Once the hybrid solution is deployed, organizations can rest assured that their logging tiers will be protected from a DDoS attack and ignore the threats of DDoS for Ransom from extortionists.

how to fight off DDoS attacksStephen Gates is chief research analyst and principal engineer at NSFOCUS International Business. He can be reached at 408-907-6638 or [email protected].

|

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.