It's time to research new ways to fight DDoS attacks

Survey: 61 per cent of businesses felt it was the responsibility of their own IT departments and management teams to defend them against DDoS attacks

Almost 1-in-5 (18-per cent) of businesses experienced a distributed denial-of-service attack within a year-long timeframe, according to the Global IT Security Risks Survey 2014 - Distributed Denial of Service (DDoS) Attacks from Kaspersky Labs and B2B International.

The data applies to the period from April 2013 to May 2014. The survey's 3900 respondents represented very small to very large companies from 27 countries.

According to the same survey, on average, 61 per cent of businesses felt it was the responsibility of their own IT departments and management teams to defend them against DDoS attacks. Twenty-one per cent of those surveyed believed it was the responsibility of their network service provider or their website/hosting provider to protect them from the threat of Distributed Denial of Service.

"Large businesses were much more likely to rely on internal resources, whereas small businesses were more likely to expect help from these external service providers," the Kaspersky / B2B International survey said. But none of these entities, neither NSPs, web hosts, IT departments, nor enterprise management teams are necessarily equipped to mitigate DDoS attacks.

Damages per DDoS incident range up to $444,000, according to the survey data. It will surely pay enterprises to adjust their assumptions about who should fight DDoS attacks and to take other action.

This couldn't be more true given that criminal hackers are already weaponizing IoT devices to add them to the botnets they use to launch these attacks, making the onslaught of DDoS larger and more complex. Case in point, the hacker group known as the Lizard Squad used a botnet of personal home routers to launch a DDoS attack on both the PlayStation Network and Xbox Live, according to Dave Larson, CTO, Corero Network Security.

With a current installed base of active wireless connected devices exceeding 16 billion last year and projected to reach 40.9 billion by 2020, according to ABI Research, the number of devices certainly warrants sounding the alarm on the potential size of IoT enabled DDoS botnets.

How big is the threat posed by DDoS attacks that use botnets that include IoT devices? Are NSPs, webhosts, and internal resources enough to combat these attacks?

The threat of DDoS with IoT botnets

DDoS attacks have grown in size and complexity as hackers add IoT devices to the machines they already incorporate into their botnets. IoT device fleets give criminal hackers access to virtually unlimited botnet armies.

Hackers are using rootkits with weaponized payloads to infect embedded Linux on IoT devices such as cell phones, thermostats, and smart appliances, which vendors have equipped with ARM processors. Due to the sheer numbers of IoT devices out there, 16-billion per the aforementioned ABI Research data, these botnets could grow to many times the size of legacy botnets.

Case in point, massive botnet attacks that foreign hackers perpetrated from September of last year through at least February globally recruited IoT devices as well as x86 servers running Linux.

Based on the attack source code, the command and control IP addresses, and the payload, these botnet attacks appeared to be a new attack vector for spreading an ELF DDoS'er threat variant, according to a blog post from members of the anti-malware group called "Malware Must Die!" in Germany, who first uncovered these attacks.

Here is the story of one series of these attacks: On Nov. 15, 2014, a botnet hit FireEye servers using brute force SSH attacks, according to "Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited", FireEye. By the close of January, the botnet had attacked each server with almost 1 million login attempts, according to FireEye. During this period, the attacks accounted for nearly two-thirds of traffic to Port 22 on those servers, according to FireEye data.

According to FireEye, the China-based culprits behind the attacks, Hee Thai Limited intended the SSH brute forcing campaign to infect systems with the XOR.DDoS malware. Unlike most DDoS bots, XOR.DDoS is multi-platform, enabling attackers to recompile the C/C++ source code to target many platforms, so far at least 41 different platforms, according to FireEye.

Why NSPs, Webhosts and internal resources aren't enough

Some large NSPs such as big telcos have cloud-based tools and services to re-route and scrub customer traffic to remove DDoS attacks. But where enterprises use two or more Internet providers to satisfy regulatory requirements for example, all these NSPs must be able to combat today's vast and complex DDoS attacks.

"Not all large telcos have efficient protection against these sophisticated layer-7 attacks," said Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Labs.

Since large, overwhelming DDoS attacks--those that use more bandwidth than an enterprise has available--require solutions with a lot of bandwidth that is specifically targeted to the issue, webhosts, IT departments, and enterprise management are also unprepared to filter out DDoS traffic.

"When bots act like real users, such as with making login attempts, businesses must have extremely granular tools and accompanying experts to detect and filter out sophisticated DDoS attacks while ensuring a low rate of false positives," said Vigovsky. These layer-7 / application layer attacks can be too complex for NSPs that don't have the proper resources.

Mitigating the morphing DDoS botnet attack landscape

Specialists dedicated to anti-DDoS protection are an alternative to big telcos. There are several firms in this field such as Kaspersky Labs, Corero Network Security, Imperva's Incapsula, and Akamai's Prolexic. Such anti-DDoS providers should have cleaning / scrubbing centers, anti-DDoS experts, and anti-DDoS as a core business, said Vigovsky.

Traffic differentiation is an important part of what anti-DDoS firms can offer. To determine whether incoming traffic is malicious, enterprises must differentiate between solicited and unsolicited traffic, IP addresses that are and are not part of the user base, and baseline and anomalous traffic behaviors, according to Larson.

Enterprises must then harden the network edge against such attacks. Due to the varied nature and purpose of different sizes of attacks--smaller attacks may simply cover the tracks of an APT, for example--the enterprise should mitigate all sizes, types, and complexities of attacks.

"Our recommendation is to use hybrid cloud and on-premise DDoS mitigation strategies," said Larson. On premise, use layered security measures including a network edge appliance targeted at DDoS protection that can inspect packets in real-time.

The secondary element of protection is a tightly-coupled signal between the on-premise edge appliance and the cloud DDoS protection provider, said Larson. "In cases where an attack is larger than your available bandwidth and will stop all your traffic, you need to reroute traffic through the cloud-based scrubbing element in real-time."

Investigate your options

Where on premise DDoS tools or NSP resources are not enough to combat the massive new DDoS attacks, there are a number of DDoS protection firms that specialize in this area, each with unique approaches. Examine and compare them all before making a selection.

Join the CSO newsletter!

Error: Please check your email address.

Tags kaspersky labsDDoS attacksapplicationsInternet of Thingssoftwareinternetdata protectionkaspersky lab

More about APTARMFireEyeGlobal ITImpervaIT SecurityKasperskyLinuxSSHXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts