hiddenheader
Web Content Viewer (JSR 286)
Customized coverage backed by 100 years of business insurance expertise
From the Experts
We are committed to providing tools and information valuable to you and your clients. Subscribe to have communications relevant to your business' success delivered to your inbox monthly.
SUBSCRIBE

CNA EXPERTS

Share this content via email or social networks
Published Wednesday, August 17, 2016
By

DDoS Attacks Re-emerging as a Top Threat to Information Security and Business Continuity

According to security research organizations, Distributed Denial of Service (DDoS) attacks are becoming more frequent today than they've ever been. Thousands of DDoS attacks are executed every day. In the final quarter of 2015, DDoS attacks globally rose by 85 percent compared to 2014; and up to 1/3 of all downtime incidents are attributed to DDoS attacks. Not only are they becoming more prevalent, they are getting more dangerous as they have grown in magnitude and are increasingly being combined with extortion schemes.

A DDoS attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. DDoS attacks succeed by disabling your website by flooding your bandwidth or server resources so that customers cannot access your website, Web services or Web applications.

ln a world where customers demand 24/7 service, a DDoS attack can be disastrous. As a modern business, your website is your virtual shop front, and to say that downtime in online services will be detrimental to your bottom line is something of an understatement. Think of the lost sales, the damage to customer trust and to your reputation.

DDoS is becoming a preferred attack of choice for hackers because they require less effort by threat actors compared to writing advanced malware and conducting long-term network penetration campaigns. The attacker profile is also expanding rapidly as nation-states, criminal organizations and hacker activist groups (called hacktivists) are also utilizing DDoS attacks against selected targets.

Attackers can build networks of infected computers, known as "botnets," by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners' knowledge, and used like a "zombie army" to launch an attack against any target.

Some botnets are millions of machines strong that can generate huge floods of Internet traffic to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, or having computers send the victim huge amounts of random data to use up the target's bandwidth. This effectively makes it impossible to stop the attack simply by blocking a single IP address. Plus, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.

Threat actors have also developed new methods that yielded sharp increases in the scale of DDoS attacks by infecting a greater number of computers with which to generate greater amounts of network traffic. In 2005, the largest observed DDoS attacks were 9 Gigabits per second (Gbps). This number grew to 100 Gbps by 2010, and then to 400 Gbps in 2014. The number of potentially bot-infected devices on the Internet will only continue to rise, considering the explosive growth of smartphones and the "Internet-of-things" trend that will network everything from small appliances to automobiles.

Specialized online marketplaces now exist to buy and sell botnets or individual DDoS attacks. Using these underground markets, a hacker can pay a nominal fee to silence websites they disagree with or disrupt an organization's online operations. A week-long DDoS attack, capable of taking a small organization offline, can cost as little as $150.

While DDoS attacks were initially the work of amateurs and were looked at as more of an operational or business continuity issue, an increasing number of criminal organizations are launching these attacks as a smokescreen for a more sinister cyberattack or for ransom.

There have been increasing incidents where an organization will receive an email that says something like this:
  

We are [Criminal Group]

All your servers will be DDoS-ed starting Friday if you don't pay XX Bitcoins @bitcoinaddress 

When we say all – and we mean all – users and customers will not be able to access your sites at all.

Right now we will start 30 minutes attack on your site's IP address @yourcompany.com. It will not be hard, we will not crash it at the moment to try to minimize eventual damage, which we want to avoid at this moment. It's just to prove that this is not a hoax. Check your logs!
 

This ransom email is followed by a small scale DDoS attack that can last from 30 to 60 minutes. After 24 hours, if the ransom is not paid, the attacks increase and can last many hours (or days).

When it comes to defending against DDoS attacks, common tactics to make your network less vulnerable to disruption include:
 

  • Working with your ISP/Internet hosting provider or investigating the use of a Managed DDoS Service Provider so they can be ready to provide traffic filtering/packet scrubbing services, IP blocking and additional bandwidth to help mitigate any disruption
     
  • Network segmentation - Dividing your network into discrete segments, and separating public and internal systems from each other, each protected by a separate firewall, to maintain internal services even during a full-blown attack targeted at public systems
     
  • Managing load balancing and bandwidth - most often used to manage legitimate traffic volumes during busy periods, but can also be a powerful weapon against DDoS attacks
     
  • Using next generation firewalls that can use geographic IP (GeoIP) blocking to quickly identify any unnatural traffic patterns that could signal the start of a denial-of-service attack. If an organization that has no trading relationships in North Korea suddenly receives volumes of traffic originating from the country, it's likely to be malicious activity. So IP addresses from this and similar countries can be blocked, using GeoIP capability to act as a "border control."
     

The "resurrection" of this threat has created yet another headache for the Chief Information Security Officer. While your organization may have taken all the necessary precautions against other security risks such as cyber-attacks or malicious hacking, a DDoS attack could render those precautions immaterial simply because too many botnet "zombies" are knocking at your door at the same time. Take action to keep them away!

One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
SUBSCRIBE

We are committed to providing tools and information valuable to you and your clients.

Subscribe to have communications relevant to your business' success delivered to your inbox monthly.

SUBSCRIBE
One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.
Facebook
Twitter
LinkedIn
Email