Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This post looks at DDoS meaning, history and attacks. It includes some DDoS prevention tips to consider in your ISMS. DDoS is a common form of cyber-attack that you should prepare for and recognise.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) are related cyber-attacks but with essential differences regarding the attack source and scale. The “DoS” part of both is designed to prevent legitimate access to network devices, systems and resources.
Depending on the type of network service or asset that is under attack, the symptoms and consequences can include:
When it comes to DDoS, the “Distributed” element means that multiple systems (represented by IP addresses) are attacking the network service as opposed to there being just one single attack source. This can make the attack more effective and more challenging to resolve.
Monitoring will identify DDoS activity. Check out our infographic and make use of the content:
DDoS most often intends to rapidly overload the targeted service with information, data packets or requests to the point that it cannot cope and no new connections (logon sessions, web sessions, email transmissions etc.) are possible.
A common way of achieving this distribution of “attackers” is by networking computers together into a botnet. Derived from roBOT NETwork, botnets flood the target with repeated requests for access, continual transmission of data or spam email.
The computers in a botnet are infected with malware allowing the attacker to take command and control. They are then used in the attack, often without the knowledge of the system owner. Computers and devices that are weak, vulnerable or have not had default security credentials changed are rich pickings to be co-opted as part of a botnet. Malware infected systems like these are often traded on the dark web for assembly into botnets.
The rise of the Internet of Things (IoT) is driven by mundane devices that never previously required an internet connection. Devices such as the ubiquitous “connected fridge”, are thought to be part of the growing botnet problem. Typically, these devices are weak and vulnerable to attack and there are lots of them; perfect for creating a botnet if all you need is a way to send network packets.
This article from ITPRO is useful in describing how DDoS and other “Cyber threats are now industrialised, agile and well-equipped”.
American universities first demonstrated the intentional misuse of written commands within early shared networks in the mid 1970s. They proved remote instruction of other terminals to do something unexpected (e.g. shut down, re-boot, logoff the current user etc.).
However, it was the Morris worm of 1988 that is thought to be the first true DoS attack delivered by use of the internet. The Morris worm pre-dated the World Wide Web (invented 1989) when the internet was still largely a network used by academia, the military and research establishments.
The Morris worm code relied on being able to execute commands on different UNIX computers. It exploited a vulnerability of those machines where it would report back to the source to indicate the availability, a form of asset discovery and acknowledgement.
Crucially the worm was designed to check if the targeted computer already had any Morris worm code installed and running on it. If the answer was no then the worm would deploy on the machine. The problem was that the threshold of whether the answer was “yes” or “no” was incorrectly estimated, consequently the code replicated itself even where the answer was yes approximately 14% of the time.
The effect of the Morris worm was that the code created many more copies of itself on vulnerable systems than originally intended causing computers to fail as processing capacity became exhausted. Modern DOS attacks have a similar outcome and the DDoS variants magnify this by utilising a large number of separate attack launchers.
There are three broad categories to classify DDoS, meaning that cyber security preparations and defences need to account for all of them.
Volume based attacks – Using enormous amounts of traffic against a target. This common DDoS attack aims to absorb the bandwidth of a site’s network and systems and so block any other access.
Protocol attacks – Designed to exploit a weakness and consume the processing capability and resources of the target server, or something that directly protects the target such as a firewall. It does not target the available bandwidth. You will see attacks such as SYN floods and Ping of Death, attacks that overwhelm targets and makes them unresponsive.
Application attacks – Seeking to exploit known weaknesses and vulnerabilities within applications themselves. Application attacks are considered to be the most sophisticated type of DDoS attack to deploy. A connection is made by the attacker into the targeted application, who then exploits application processes and transactions to exhaust the host server. The aim is to crash web services by making a large number of requests that look legitimate.
Some DDoS attacks are used in combination to increase their complexity and potential impact. Sometimes the purpose is distraction and misdirection that divert the attention of security personnel whilst other cyber-attacks are being deployed.
Mirai malware (“future” in Japanese) was found in 2016, when it targeted significant volumes of traffic at Dyn, a company that provides Domain Name System (DNS) services to other organisations. This is the reason that this type of attack is more formally known as “DynDNS”. It is used to create and control botnets of computers including IoT devices that are weakly defended by default security credentials. Mirai is thought to have co-opted and made use of Digital Video Recorders in particular.
DNS is required to tie IP addresses to website names, making it easier for the user as they do not have to remember a string of IP numbers to access sites.
Mirai botnets rapidly flooded Dyn with millions of “lookup” requests and was quickly followed by TCP protocol attacks seen over a number of days. The TCP attacks attempted to make servers incapable of answering legitimate requests for traffic. The attack may have denied service to legitimate users for only a few hours, but it was long enough to draw worldwide attention and impact high profile organisations including Twitter, Sony Playstation and Spotify.
There are a number of reasons an attacker might employ DDoS techniques against your organisation, which means you need to prepare defences and be aware of them in your ISMS:
Click for the latest threats and cyber security advisories in the UK.
In order to prevent DDoS attacks from impacting your ISMS, you should consider the following:
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.