Freely subscribe to our NEWSLETTER

Denial of service or Distributed Denial of Service attacks have been traditionally a way of restricting or totally blocking a providers web service. In some cases this is aimed at causing financial loss or simply publicly shaming the target. DDoS is typically thought of as a volumetric attack that simply consumes all the resource that your WAN connection, firewall and or web servers can support.

These attacks tend to exploit the TCP handshake process, fill up the state tables on a firewall or put server CPU usage through the roof, these users look otherwise legitimate to your services and a well-placed attack can take down high capacity platforms in short order. Whilst these attacks are still common place, the cost of WAN connections has fallen dramatically and cloud and on premise technologies have improved to the point where this sort of attack should be nothing more than troublesome to the target if the company recognises the risks and takes adequate measures to prevent it. Please note it is a common misconception that turning on DDoS protection on your UTM / next gen firewall will provide adequate protection for the majority of attacks, dealing with a volumetric attack requires a lot of computing resource and your firewall will NOT provide the protection you require unless your firewall has massive amounts of spare resource at hand. This can easily be demonstrated by any of the standalone IPS / DDoS provider’s.

The nature of attacks is quickly changing however and the black hats out there are using ever more effective techniques to compromise systems. Attacks known as reflective attacks that target DNS, SNMP/NTP/CHARGEN, & SYN connections have seen something of a resurgence. Reflection attacks afford the attacker the ability to hide the attack source whilst increasing the volumetric rate at the same time. These attacks trick other websites / routers etc.. into trying to connect to your systems. These attacks are harder to fight than a normal volumetric attack but are none the less a volumetric attack, aimed at consuming system resource. We are also seeing an ever increasing amount of attacks aimed at a particular application known as application layer, or layer 7 attacks, these sorts of attacks in particular, will pass straight through your UTM / next gen firewall, and it can kill an application, with a handful of packets .

There is still merit for an attacker in attempting such to take down a website, or service, with a volumetric based attack, these attacks are increasingly used as a Hacktivisim technique aimed at publicly shaming, or embarrassing the target. If you are not prepared for it, they are still very effective. Today however DDoS is increasingly used as a distraction technique, if you are under a high volume DDoS attack then look over your shoulder. The last few years of attacks show us that DDoS is now a primary tool for Advanced Persistent Threat style attacks or other attacks aimed at stealing intellectual property / commercial information or even to fraudulently obtain monies as seen in the recent banking attacks attacking payment switches.

Such attacks use a DDoS attack to keep your security team busy whilst using SQL injection, directory traversal and cross site scripting attacks (amongst many other techniques) to get at the family jewels, akin to someone mugging you outside your house to stop you from intruding on the guy ransacking your home.

Should I be worried?

Nothing is 100% secure and as ever we are looking at the same balance between risk, cost and productivity as we have always had in IT security. Increasingly however the attacks have moved away from being aimed purely at ecommerce, egaming and finance platforms , to focusing on a much wider target group that encompasses everything from power stations to construction firms, hedge funds to retail outlets. The risk of DDoS affecting your organisation is increasing and should be re-appraised based on the sort of data you hold on your systems. If you have large amounts of personably identifiable information, Payment card data, or anything else that would be deemed valuable information (we have seen several attacks aimed at stealing high value bids around real estate and construction projects for instance) then leaving yourself open to a DDoS attack will make it easy for an attacker using widely available tools to compromise your security and gain access to your information. Increasingly it is important for your DDoS platform to be able to perform wider Deep Packet Inspection (DPI) more typically associated with an IPS platform and to be able to put the attacks in context, spotting things like Cross Site Scripting, SQL injection and directory traversal attacks that a pure play IPS platform will likely to be able to help you with.

If you decide your risk profile deserves more attention, then be careful to consider the benefits of a cloud service, a cloud service will provide extremely scalable, often very effective protection from a volume based attack. Experience shows us however these days a volumetric attack signals something else is underway and having an appliance or hybrid option will give you the onsite DPI capabilities to help identify / prevent a more damaging security event. Furthermore the onsite elements will allow you to tackle any attacks aimed at Layer 7 (application based attacks) which cannot be effectively tackled from the cloud (circa 25% of all attacks and growing). It will also help you rein in and keep control of the costs. Cloud DDoS services are typically charged with both a subscription charge and then a per MB/GB usage charge which leaves you with an open ended bill to pay based on the volume of attack traffic you see.