Dynamic tools for repelling botnet armies
This summer, Peter Gibson, 22, a student from Hartlepool, was charged with taking part in on-line attacks carried out by international hacking group Anonymous.
He is accused of ‘conspiracy to do an authorised act in relation to a computer’ contrary to the Criminal Law Act of 1977. And whilst it is hard not to smile at the Pythonesque legal language, authorities around the world are taking his offence very seriously.
In fact Gibson is only one of dozens of people who have been arrested in recent months for similar activities – 32 in Turkey alone last month – as police and security forces struggle to keep up with a new generation of cyber terrorists.
It is not hard to see why the authorities are concerned. The CIA, the UK’s Serious Organised Crime Agency, Spain’s National Police Force, Bank of America, Sony, WordPress, PayPal, Mastercard, Visa, the governments of Georgia, Ireland, Turkey, South Korea, Twitter, Facebook, wikileaks – this is a roll call of well-publicised victims of online attacks or, to be specific, Distributed Denial of Service (DDoS) attacks.
Perpetrators such as the hacking activist groups LulzSec and Anonymous have acquired a curious celebrity. In part this reflects the public mood. There is a sneaking sympathy for what its presented as civil disobedience, especially when it is conducted by ‘harmless teenagers’ in suburban bedrooms and directed at the global capitalist establishment.
The language of DDoS crime has attracted attention, too. From Smurf attacks, Ping floods, Teardrop attacks and the Nuke, to Botnets, Zombie agents and Script Kiddies – what’s not to like?
As a result, the concept of Distributed Denial of Service attacks has entered the mainstream public consciousness.
But ironically, despite the publicity and notoriety, the wider citizenship has little clear impression of what DDoS are, or why, in a world increasingly dependent on internet reliability, they matter a lot.
What are DDoS attacks?
In the simplest terms, a DDoS attack uses malicious codes to infect computers to trigger mass attacks against targeted websites, causing them to be inaccessible to legitimate traffic. DDoS attacks, although unsophisticated, are difficult to defend against.
A DDoS attack is an attempt to make sites unavailable to intended users. Although the means to carry out, motives for, and targets of a DDoS attack may vary (the recent attack on Spain’s national police force was explicitly in retaliation for the arrest of fellow hackers), it generally consists of a concerted effort to prevent an internet site or service from functioning efficiently or at all, temporarily or indefinitely.
One common method of attack involves saturating the target with external communications requests, so that it cannot respond to legitimate traffic, or responds so slowly as to be effectively unavailable.
Despite their recent infamy, DDoS attacks have been wreaking havoc on Internet-based services for years. But significantly, the size and frequency of these attacks have grown dramatically as attackers take advantage of Botnets (collections of compromised computers connected to the internet) and other high-speed internet access technologies to overwhelm their victim’s network infrastructure.
And this trend is accelerating. Research by international DDoS security experts Arbor Networks shows that not only are DDoS attacks getting larger and more frequent, but they are also becoming more sophisticated as they pinpoint specific applications with smaller, more targeted and stealthy attacks.
This means that organisations with internet-facing services must now be prepared to protect themselves from two very different types of DDoS attacks: firstly, volumetric DDoS attacks that strive to overwhelm network infrastructure and servers with high-bandwidth-consuming flood attacks; and secondly, application-Layer DDoS attacks that attempt to target specific well-known applications such as Hypertext Transfer Protocol (HTTP), domain name system (DNS) or Voice over Internet Protocol (VoIP).
New tactics reflect new motives
The cyber threats that have acquired the most public attention have been those that attempt to compromise the networks and systems of businesses and governments globally.
Rather than merely infiltrate and infect the target, the objective now appears to be to cripple, or to demonstrate the ability to cripple, a public-facing web operation by overloading the website delivery infrastructure. We may speculate on the ultimate objectives of these attacks, but what is not in doubt is that a whole swathe of ubiquitous public activity from e-commerce to banking, online recreation to public safety, is at risk.
Web properties are now ingrained in the modern world – in how business is conducted, political positions articulated, citizens served. Consequently, complacency in defending against DDoS attacks is unacceptable, both for potential victims and regulators.
So what to do?
When Internet-facing services go down due to DDoS attacks, the impact can be severe and have several effects.
These include variously lost revenue and profit, lower productivity, higher costs due to penalties or breaches of service level agreement (SLA) contracts, and tarnished reputation or brand.
But despite increased levels of threat and consequence, many organisations are still relying on antique security products such as firewalls and intrusion protection systems (IPS) to protect themselves from DDoS attacks. These no longer suffice.
This issue becomes even more acute in the always online, always available environment of Cloud computing – and it is fundamental to the business case of a new generation of Cloud service providers that they can offer the levels of security and connectivity that a virtualised infrastructure implies.
The traditional response to this dilemma has been over-provision – investment in sufficient website delivery infrastructure to not only serve the legitimate traffic but also to accommodate the demands of the attackers.
Over-provision as insurance against attack is expensive – at the very least everything from the websites delivery infrastructure, the web servers, routers, switches, load balancers and bandwidth would have to be duplicated.
And ironically, over-provision works for the attackers too – so it can be an own goal.
Similarly, there is a plethora of specialised appliances available that offer protection of sorts. They are generally deployed near the network firewall and in the direct flow of network traffic. These inline appliances view all inbound traffic and do complex technical inspection of it, looking for intrusion.
The problem with these appliances is that as the volume of DDoS attacks rises, and the complexity and sophistication of the attack signatures and profiles increases, they struggle to keep up and can cause bottlenecks. Perversely, they can be an involuntary contributor to the attackers’ objective of slowing or disrupting the normal flow of traffic.
So given the general assumption that high traffic volume DDoS attacks will continue to grow the network owner is caught in a continuous cycle of upgrading both appliances and bandwidth, which is why the concept of managed services protection against DDoS is gaining traction.
Managed services protection
Managed Services Providers – MSPs -tend to operate like this: once an attack is detected, inbound website traffic is redirected to globally distributed ‘scrubbing centres’ for mitigation (the process of examining the web traffic and data to confirm the existence of spurious traffic).
Rather than redirecting to a scrubbing centre located in your ISP’s network, website traffic is redirected to an internet based centre unassociated with the website-serving ISP.
Whilst not even specialised DDoS MSPs can guarantee client system availability some do provide an assurance of 99.999 on their infrastructure – and financial compensation against that 0.001calamity.
For web-based businesses, that does offer them and their customers a degree of confidence, and it gives beleaguered internal IT departments some expert relief.
And the uncomfortable fact is that as more organisations become web-dependent, so the means to launch a DDoS attack against them is only likely to rise.
The number of potentially vulnerable internet-connected devices is growing exponentially around the world. Smartphones, netbooks and e-readers – devices always on, or in frequently-connected mode – these are a Botnet army in waiting.
Peter Gibson and friends will not be alone in hijacking them. Only DDoS Managed Service Providers are likely to stand in their way.
About the author
Paul Steadman is CEO of Adversor, a company providing True Dynamic Mitigation against DDoS attacks in applications where server availability is of critical importance. Customers include major banks and financial institutions, telecommunications operators, gaming and betting businesses, Internet hosting companies and e-tailers.
Paul is a chartered accountant who has held the posts of chairman, managing director and financial director in numerous service based small and medium sized enterprises where he has successfully implemented growth and recovery strategies.
For more information
www.adversor.net
Related Features
Partners
 |
 |
 |
 |
 |
 |
 |
 |
digital issue
