It’s difficult to imagine a noisier attack than a distributed denial-of-service attack. They’re an ever-present threat to banks and other businesses where the uptime of Web-based services is critical to customers and the well-being of an enterprise. And as a handful proved throughout 2013, they are growing in scale and sophistication.
Hackers have found new ways to fire unprecedented amounts of bad traffic at websites. For the most part, the motivations in such attacks have been political, social, and even personal. Hacktivists with a cause, such as the al Qassam Cyber Fighters took out their political and religious angst against American banks in protest of movie trailer on YouTube they deemed offensive to Muslims. Attackers from a Dutch webhost took down Spamhaus in retaliation for being put on a spam blacklist by the organization.
But what of profit-motivated criminals who use DDoS as a weapon? A report from telecommunications and DNS service provider Neustar indicates a growing trend of using DDoS as a cover for malware attacks resulting in significant monetary losses for not only enterprises, but consumers as well.
Rodney Joffe, senior vice president and senior technologist, said Neustar has been able to verify with a number of its customers that they’ve also suffered loss of intellectual property or financial fraud in parallel attacks done under the cover of DDoS.
“If a DDoS runs for a short period of time, you’ve got look at it as to whether they’re there to cover something up,” Joffe said. “You dig under the covers and discover theft of intellectual property or financial fraud. The bad guys are using this effectively.”
Joffe said that a typical scenario involves DDoS against a bank that has already been compromised by some sort of financial malware such as Zeus or its offshoot Citadel, affording the hackers the opportunity to transfer funds from accounts. The DDoS attack serves a twofold purpose; not only to keep security operations busy trying to squelch the attack and restore services, but also to keep customers from logging in to accounts and learn that funds are missing.
“It looks like a DDoS against the bank, but it’s designed to cover transfers made by the attackers,” Joffe said, who said that sometimes DDoS attacks are also carried out against an organization’s VoIP phone systems in order to keep customers from reaching help internally.
“When a DDoS is launched, it’s all hands on deck,” Joffe said. “Security folks are concentrated on getting services back up; they’re likely to miss packets dropping malware.”
These attacks are generally shorter and use smaller traffic volumes (1 Gbps to 5 Gbps) to take down services. Shorter attacks where services are down for hours rather than days are an indication of a possible secondary attack resulting in theft. Other clues, Neustar said, is the lack of a message or ultimatum from the attackers. The Neustar report says that 55 percent of DDoS targets were also victims of theft. In half of those attacks, malware was installed allowing further access to the network.
These attacks come at great expense, in addition to loss. Neustar says close to 30 percent of victims lose more than $100,000 per hour in IT, security, call center and other costs while services are down or interrupted.
The report also looks at the evolution of high-bandwidth attacks from the use of botnets of home machines, to DNS and NTP amplification attacks racing volumes upwards of 400 Gbps. Amplification attacks have changed the paradigm of DDoS attacks, with hackers figuring out they can compromise bandwidth-heavy enterprise-grade servers and using a few of those rather than 100,000 home machines to send traffic at a target.
“Home machines could be sandboxed or blocked by an ISP if they are misbehaving. It’s a $25 or $50 a month service,” Joffe said. “It’s much more difficult going to an enterprise spending $100,000 a month with an ISP or carrier and turn them off. Al Qassam Cyber Fighters realized that and started compromising enterprise-level systems with lots of bandwidth. It’s much more efficient, but the downside is when you lose a machine, you’re losing a gigabyte of bandwidth.”
DNS and NTP amplification attacks, meanwhile, are not abating. Neustar said it has already mitigated more than twice as many DDoS attacks at more than 100 Gbps than all of last year.
“We in the industry recognize we will never overcome the scale issue,” Joffe said. “As we add more bandwidth in the business world, the bad guys get to use more of our bandwidth against us. It’s a no-win game from a bandwidth point of view.”