We all want to drive more traffic to our websites to convert visitors into leads and then close those leads into customers. Unfortunately, not all traffic is good traffic. Traffic can also be used as a malicious tool against your website.
If you want to understand the whole spectrum of cybercrime, you can't just stop at ransomware and phishing schemes. One attack that has become more and more common across the web in recent years is known as the DDoS, or Distributed Denial of Service, attack. DDoS attacks have been around for more than a decade, but hackers are constantly finding new, innovative ways to strike, whether for monetary gain or simply to assert their cyber-authority. Your clients could be next!
What Is a DDoS Attack?
By now you know that the acronym DDoS stands for Distributed Denial of Service, but what does that really mean? What makes this cybercrime attack unique and so formidable? DDoS for Dummies defines the act as:
DDoS attack: a cyberattack in which many, usually compromised, computers send a series of packets, data, or transactions over a network for the intended attack victim (or victims) in an attempt to make one or more computer-based services (such as web application) unavailable to the intended users; generally result from the concerted efforts of cybercriminals to stop an Internet site from functioning efficiently or at all
DDoS attacks represent a dangerous flavor of denial of service (DoS) attacks, overall. With this variety, two or more hackers or systems can launch the attack. If there's power in numbers, risk increases tenfold when cybercriminals join forces.
Speak Hacker - Bots and Botnets
Before I dive into common infection methods, let's first identify the proper vocabulary.
Bot: an infected computer or device
Botnet: an entire network of compromised devices, or bots
What kind of infections are we talking about? Oh you know, the usual suspects: malware like viruses, worms, Trojans and spyware. DDoS attacks can be launched when hackers remotely control these bots to steal data from victims' networks and servers or email SPAM. What's troubling is that hundreds of thousands or even millions of bots can comprise a botnet and go undetected or unresolved for years.
The resiliency of botnets is what makes them even more disquieting. Once your system is compromised, it's very difficult to clean. Not only that, but attackers are in full control of these botnets, which means they can change a bot's behavior if they think you're on to them.
Ways in Which DDoS Attacks Are Executed
Network Layer DDoS Attacks
In this more traditional form, the DDoS attack is executed when an attacker floods a target organization's network with data in an attempt to exhaust that network's available bandwidth. As a result, the volume of connection requests overloads the server as it tries to accomodate all of the network packets, sometimes crashing it entirely. Servers aren't the only infrastructure that can suffer. Network layer DDos attacks can also affect Internet service provider links, routers, switches and firewalls. Common manifestations include Internet Control Message Protocal (ICMP), SYN and User Datagram Protocal (UDP) floods.
Application Layer DDoS Attacks
DDos attacks have evolved, and the implications are no joke. This new variant is referred to as application layer DDoS attacks. These schemes aren't just carried out by sending packets to the target network. Instead, attackers target specific functions of a website, in hopes of disabling them and blocking access to databases.
Application layer DDoS attacks are similar to their network layer counterparts in that the hacker makes repeated requests to try and overwhelm the infrastructure so that it cannot respond to non-malicious connections. The attacker is actually communicating with the victim's server so more resources must be used. These newer attacks are more sophisticated, however, because they often appear to be legitimate website or network traffic. This makes them even harder to detect! For example, just think of a routine request like filling out a webpage form. Would you think anything of it? Another manifestation of application layer DDoS attacks is repeatedly sending different user IDs and passwords to a given login page. Adding to the feeling of false security, these cybercriminals often randomize their attacks so victims can't identify the problem and correct the damage.
Either one of these attacks is enough to crash a business along with its server, but the consequences are especially critical when the two are combined!
How Victims Know When They're Hit with a DDoS Attack
By now, you're probably wondering how you can possibly discover these cyber assaults so as to mitigate the damage, when attackers are cleverly disguising their sinister schemes. Make sure you're on the lookout for the following symptoms:
- slow network performance
- inability to access files or any website
- influx of email SPAM
- disconnection of a wireless or wired Internet connection
- denial of access to any Internet services for a prolonged period of time
Why Your SMB Clients Are Prime Targets
While no two clients are identical in size, focus or struggle, all share the same fundamental need to have a functioning website. Why? These sites are customer-facing. That means they can't afford to suffer from loss of availability or service disruptions.
What's to stop their prospects from visiting a competitor's website in the event of an unresponsive website? Are any of your clients B2C? If so, they probably use their website for e-commerce. If their clients and prospects can't access their online store, that's a major hit to revenue. DDoS attacks don't just dish out financial blows, they are also brand-damaging. If their website is down, your clients look unprofessional.
Similarly, consider the sensitive data and personally identifiable information (PII) that these websites store. If your clients' customers don't think this information is secure, they may forego all future business with that company and encourage others to do the same, with or without a breach.
Are any of Your Clients in the Financial Vertical?
I'm willing to bet the answer to that is yes. As DDoS for Dummies states:
"For online banking and financial transactions, time is quite literally money. Millions of dollars can be lost in minutes if service is slowed or interrupted. In performance-sensitive environments such as transaction processing and high-volume trading, major service interruptions can be catastrophic, both in terms of actual financial loss and damage to the corporate brand.”
Banks and other financial institutions need to be able to process large volume transactions at high speeds internationally, and they can't do that if service is delayed or eliminated all together. This isn't just a theory. Bank of America and the New York and Hong Kong stock exchanges are just a few examples of businesses in the financial sector that have been hit with DDoS attacks. Don't let history repeat itself!
DDoS Attacks in the News
For more information on this attack, check out Fortune's article, GitHub triumphant over its 'largest ever' cyber pummeling
Game Over: Lizard Squad's Christmas Day Present
It wasn't just Santa that paid a visit last Christmas morning. The notorious hacking organization, Lizard Squad, gave new meaning to the term remote controller when they sent a series of DDoS attacks to Microsoft's Xbox Live and Sony's PlayStation Network. Lizard Squad's motives are less political than those of the culprits behind the GitHub attack. Many speculate that the hacker organization is simply after the glory, looking for their 15 bytes of fame. One look at their Twitter activity would convince you of this. They want bragging rights and followers, not money. The cold-blooded gang threatened to hold the gaming systems prisoner until enough people retweeted them. Not exactly bone-chilling, but some social networking ploy!
Learn more about Lizard Squad and this nightmare on Christmas by reading The Daily Dot's article, Hackers ruin Christmas gaming fun by taking down Sony and Microsoft's servers
Multicast DNS and DDoS Amplification
As we covered in last Friday's episode of ITrewind, a newly-discovered vulnerability in multicast Domain Name System (mDNS), present in over 100K devices, can be used to amplify DDoS attacks.