ISMS Essentials: DDOS Meaning, Motivation and Prevention
This post looks at DDoS meaning, history and attacks. It includes some DDoS prevention tips to consider in your ISMS. DDoS is a common form of cyber-attack that you should prepare for and recognise.
DDoS meaning: The difference to DoS
Denial of Service (DoS) and Distributed Denial of Service (DDoS) are related cyber-attacks but with essential differences regarding the attack source and scale. The “DoS” part of both is designed to prevent legitimate access to network devices, systems and resources.
Depending on the type of network service or asset that is under attack, the symptoms and consequences can include:
- The sudden appearance of high volumes of spam email or other traffic
- Slow running and freezing of an attacked service within your infrastructure (e.g. an application or database)
- Unavailability of services that affect people outside your organisation (e.g. public facing web pages)
- Social media reports of pages/sites/apps being slow or unresponsive or giving server errors.
When it comes to DDoS, the “Distributed” element means that multiple systems (represented by IP addresses) are attacking the network service as opposed to there being just one single attack source. This can make the attack more effective and more challenging to resolve.
Monitoring will identify DDoS activity. Check out our infographic and make use of the content:
DDoS meaning: Multiple attack sources, botnets and IoT
DDoS most often intends to rapidly overload the targeted service with information, data packets or requests to the point that it cannot cope and no new connections (logon sessions, web sessions, email transmissions etc.) are possible.
A common way of achieving this distribution of “attackers” is by networking computers together into a botnet. Derived from roBOT NETwork, botnets flood the target with repeated requests for access, continual transmission of data or spam email.
The computers in a botnet are infected with malware allowing the attacker to take command and control. They are then used in the attack, often without the knowledge of the system owner. Computers and devices that are weak, vulnerable or have not had default security credentials changed are rich pickings to be co-opted as part of a botnet. Malware infected systems like these are often traded on the dark web for assembly into botnets.
The rise of the Internet of Things (IoT) is driven by mundane devices that never previously required an internet connection. Devices such as the ubiquitous “connected fridge”, are thought to be part of the growing botnet problem. Typically, these devices are weak and vulnerable to attack and there are lots of them; perfect for creating a botnet if all you need is a way to send network packets.
This article from ITPRO is useful in describing how DDoS and other “Cyber threats are now industrialised, agile and well-equipped”.
DDoS meaning: Quick history and ISMS Impacts
American universities first demonstrated the intentional misuse of written commands within early shared networks in the mid 1970s. They proved remote instruction of other terminals to do something unexpected (e.g. shut down, re-boot, logoff the current user etc.).
However, it was the Morris worm of 1988 that is thought to be the first true DoS attack delivered by use of the internet. The Morris worm pre-dated the World Wide Web (invented 1989) when the internet was still largely a network used by academia, the military and research establishments.
The Morris worm code relied on being able to execute commands on different UNIX computers. It exploited a vulnerability of those machines where it would report back to the source to indicate the availability, a form of asset discovery and acknowledgement.
Crucially the worm was designed to check if the targeted computer already had any Morris worm code installed and running on it. If the answer was no then the worm would deploy on the machine. The problem was that the threshold of whether the answer was “yes” or “no” was incorrectly estimated, consequently the code replicated itself even where the answer was yes approximately 14% of the time.
The effect of the Morris worm was that the code created many more copies of itself on vulnerable systems than originally intended causing computers to fail as processing capacity became exhausted. Modern DOS attacks have a similar outcome and the DDoS variants magnify this by utilising a large number of separate attack launchers.
DDoS meaning: Attack types to look for in your ISMS
There are three broad categories to classify DDoS, meaning that cyber security preparations and defences need to account for all of them.
Volume based attacks – Using enormous amounts of traffic against a target. This common DDoS attack aims to absorb the bandwidth of a site’s network and systems and so block any other access.
Protocol attacks – Designed to exploit a weakness and consume the processing capability and resources of the target server, or something that directly protects the target such as a firewall. It does not target the available bandwidth. You will see attacks such as SYN floods and Ping of Death, attacks that overwhelm targets and makes them unresponsive.
Application attacks – Seeking to exploit known weaknesses and vulnerabilities within applications themselves. Application attacks are considered to be the most sophisticated type of DDoS attack to deploy. A connection is made by the attacker into the targeted application, who then exploits application processes and transactions to exhaust the host server. The aim is to crash web services by making a large number of requests that look legitimate.
DDoS meaning: Mirai and DynDNS – a combination attack
Some DDoS attacks are used in combination to increase their complexity and potential impact. Sometimes the purpose is distraction and misdirection that divert the attention of security personnel whilst other cyber-attacks are being deployed.
Mirai malware (“future” in Japanese) was found in 2016, when it targeted significant volumes of traffic at Dyn, a company that provides Domain Name System (DNS) services to other organisations. This is the reason that this type of attack is more formally known as “DynDNS”. It is used to create and control botnets of computers including IoT devices that are weakly defended by default security credentials. Mirai is thought to have co-opted and made use of Digital Video Recorders in particular.
DNS is required to tie IP addresses to website names, making it easier for the user as they do not have to remember a string of IP numbers to access sites.
Mirai botnets rapidly flooded Dyn with millions of “lookup” requests and was quickly followed by TCP protocol attacks seen over a number of days. The TCP attacks attempted to make servers incapable of answering legitimate requests for traffic. The attack may have denied service to legitimate users for only a few hours, but it was long enough to draw worldwide attention and impact high profile organisations including Twitter, Sony Playstation and Spotify.
DDoS meaning: Attack Motivations to consider in your ISMS
There are a number of reasons an attacker might employ DDoS techniques against your organisation, which means you need to prepare defences and be aware of them in your ISMS:
- Notoriety – Plain and simple attention seeking or boredom, the notoriety that comes of successfully bringing a service to its knees and causing disruption
- Extortion – An ultimatum that the organisation pays to avoid being taken offline (e.g. during a critical period such as during a sporting event for a betting site) with all the associated revenue loss, service loss and embarrassment that would follow
- Using DDoS in this way has been overshadowed by the rise of ransomware such as WannaCry
- You can also learn more at this Huntsman Security Blog
- Hacktivism – The subversive use of computers and the internet to affect change and draw attention due to an ideology held by the attackers often including political motives
- Commercial benefit – Rival businesses looking to strategically impair the connectivity of a competitor during a critical sales period or notable event
- Cyber warfare – The activities of Foreign Intelligence Services (FIS) or attackers sponsored by nation states to compromise another country’s infrastructure and cause embarrassment.
Click for the latest threats and cyber security advisories in the UK.
Tips to prevent DDoS attacks in your ISMS
In order to prevent DDoS attacks from impacting your ISMS, you should consider the following:
- Sufficient bandwidth – Ultimately DDoS absorbs bandwidth and processing, so a little extra may buy you more time to deal with attack
- Internet of Things – Ensure that connected devices do not become a weakly defended route into your network, or are susceptible to be co-opted as a botnet participant due to poor security configuration
- Diverting DDoS traffic – The ability to re-route and divert attack traffic through use of automated Domain Name System (DNS) redirection or through manually activated (and slower!) Border Gateway Protocol (BGP)
- Filtering DDoS traffic – DDoS attacks look like floods or spikes of unwanted traffic that solutions can distinguish and filter out from legitimate activity giving you the chance to keep your network connected and services working
- Monitoring and analysing all traffic – Use of advanced SIEM and Security Analytics to monitor and visualize traffic levels enables you to identify, alert and intervene on the spikes and floods that indicate a DDoS attack is in progress.