Font Size: A A A


When DoS isn’t really Denial of Service

If you have been caught at the receiving end of a Distributed Denial of Service (DDoS) attack, without proper defenses in place, you are already familiar with the chaos that ensues as a result of your network becoming overwhelmed with bogus traffic. The phone lines light up with customer service complaints, your staff is running around chasing firewall reboots, IPS failovers and scrolling through endless security event logs trying to identify the source and determine a solution to restore service availability. Unfortunately, denial of service, and the pain that entails, may not be your only concern. What may be lurking behind the DDoS attack can be more destructive than the attack itself, writes Dave Larson, CTO at Corero.

Sophisticated and distracting DDoS attacks are increasingly used to disguise more subtle infiltrations of the victim network. These partially saturating attacks do not fully consume the internet link, nor are they largely volumetric in nature. This emerging attack type is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks with infiltration or even data exfiltration as the main objective. These attacks are designed to fly in under the radar, while the distracting DDoS attack consumes resources, logs and the attention of IT security personnel. Security alerts, from an IPS or Advanced Threat Analysis solution that might normally command immediate attention, are either missed or suffer a delayed response, as the IT security team struggles to maintain network uptime. Worse still, some security products, when faced with traffic levels they cannot handle (even those below full pipe saturation), are designed to fail open to keep the network up, resulting in a total loss of protection for the assets behind them. This leaves the door wide open for the attacker. We are seeing an increasing trend in Denial of Service attack vectors being utilized as a smokescreen for data exfiltration attempts. Dos, or DDoS is sometimes a poor descriptor for this class of attacks – denial of service is not always the goal.

Once low hanging fruit has been identified, opportunistic hackers don’t need to look very far to take advantage of the weaknesses in security caused by the DDoS attack. This creates a perfect opportunity to exploit vulnerabilities in the infrastructure for the purpose of malware or advanced persistent threat (APT) insertion, or worse, exfiltration of sensitive information from servers. Most concerning of all, is that this can all be accomplished without actually causing a discernable service degradation that would catch the attention of your security personnel.

Additionally, these partial saturation events are not long enough in duration such that the attacks can be detected and re-routed quickly enough for cloud-based DDoS mitigation solutions to provide much, if any benefit. To achieve a level of intelligence and real-time mitigation against this type of DDoS attack, networks require real-time visibility into the attack activity, with full forensic analysis capabilities in order to ultimately defeat the attack before it compromises the IT infrastructure.

As organisations consider options for DDoS mitigation, it is important to realise that a hybrid approach, which derives benefits of both an on-premises solution and a cloud-based mitigation service, may be the ultimate solution. On-premises DDoS defense technology prevents outages by inspecting traffic at line-rate and blocking attacks in real time while allowing approved traffic to flow uninterrupted. This real-time defense enables complete and sophisticated visibility into DDoS security events when deployed at the network edge. Additionally, archived security event data will enable forensic analysis of past threats and compliance reporting of security activity, acting as a strong advantage against attackers when DDoS is used as a distraction technique.

On-premises technology provides always on protection against DDoS attacks. However, to ensure maximum protection, an on-premises device can be backed up by a cloud-based mitigation service to defeat sporadic high bandwidth DDoS attacks that exceed the capacity of an organization’s Internet pipe. The main benefit of a hybrid approach over just relying on an on-demand cloud-based DDoS mitigation service is that the on-premises device dramatically reduces the number of times an organisation needs to switchover to cloud-based protection.

Organisations must arm themselves with next generation DDoS defense platforms that incorporate both intelligent and automated filtering and detailed security forensics to effectively defeat these new and advanced threats. Real-time detection and mitigation solutions against DDoS attacks were once considered an insurance policy for most organisations. Today, it’s pretty clear that any business, regardless of Industry or type of intellectual property they maintain, is susceptible to attack. Attacker’s motivations can range from wildly obscure, to pretty clear and (theoretically) understandable. Regardless of motivations or final outcomes, organisations need to understand the types of threats that are out there, and the proper tools required to defeat these attacks and protect their customers. What at first may appear to be a nuisance DDoS attack could in reality be a distraction away from the real damage, such as data exfiltration, that organisations are neglecting to discover in time.


Related News