The title says it all: “The Danger Deepens.” Neustar, a cloud-based information services and data analytics provider, recently released its roundup of distributed denial of service (DDoS) attacks in 2013, and the picture doesn’t look good; in 2013 the strategy and severity of DDoS evolved, with attackers becoming more focused and sophisticated, carefully targeting their attacks to exploit vulnerabilities.
“Over the last year, DDoS attacks evolved in strategy and tactics,” the report says. “We saw increased media reports of ‘smokescreening,’ where criminals use DDoS attacks to distract IT staff while inserting malware to breach bank accounts and customer data. More than half of attacked companies reported theft of funds, data or intellectual property. Such cyber attacks are intense but shorter-lived, more surgical than sustained strikes whose goal is extended downtime
The duration of an average attack decreased, but that’s not reason for optimism, Neustar warns. The number of attacks is on the rise, and the shorter duration is a sign that attackers have clear, thought-out goals. Large attacks have become more but hits under 1Gbps still make up the majority of incidents.
More than 40 per cent of responses said that losses stemming from a DDoS attack were over US$1 million a day – 14 per cent at $50,000 to $100,000 every hour and 29 per cent at over $100,000 an hour.
Awareness isn’t the problem. Ninety-one per cent of respondents say the DDoS is the same as or worse than it was in 2012. One of the main problems is that the number of companies attacked has just about doubled in one year, from 35 per cent of respondents in 2012 to 60 per cent in 2013. Almost 90 per cent of those attacked were hit twice.
While attacks between one and five GBps almost tripled, Neustar’s report devotes a lot of attention to large-scale attacks – ones that exceed 100 Gbps.
“As of April 2014 the Neustar Security Operations Center has already mitigated more than twice as many 100+ Gbps attacks versus all of last year,” the report says. One cause is the rise in DNS and NTP amplification attacks. These involve attackers sending UDP packets to vulnerable DNS/NTP servers with the spoofed IP addresses of the targeted servers. The attacked server sends an amplified response to the target IP address. “These attacks can easily add up to enormous bandwidth. One amplification attack this year measured 400 Gbps,” Neustar says.
Along with the trend to shorter attacks, Neustar reports the rise of “smokescreening,” an attack modality that exploits elements of social engineering. While IT and security staff are distracted by a DDoS attack, the attackers access and clone private data to steal funds, private information and other sensitive data. Neustar reports one case where attackers used DDoS to help steal bank customers’ credentials and drain US $9 million from ATMs in just 48 hours.
“Here’s an analogy,” says Rodney Joffe, Neustar senior vice president and senior technologist. “When there’s a tremendous storm, you run around your house making sure all the windows are closed and you’ve got the flashlights ready. You’re not worried about anything else. DDoS attacks are similar. They create an all-hands-on-deck mentality, which is understandable but sometimes dangerous.”
Staff resources are getting stretched thin. Neustar says that last year attacks requiring more than six people to mitigate nearly doubled compared with 2012. Attacks requiring more than ten people to handle more than doubled, increasing from 20 per cent in 2012 to nearly 41 per cent in 2013.
Neustar offers some warning signs. Shorter, more intense attacks can be a sign attackers have zeroed in on exactly what they need – and probably aren’t aiming to clog bandwidth or increase downtime. And the absence of a statement or ransom note could mean the attackers have a hidden agenda.
To protect against attacks – DdoS and otherwise, Neustar recommends that organizations make sure some staff are watching entry systems during DDoS attacks. Make sure security systems are patched and up to date, and implement dedicated DDoS protection. “Scrambling to find a solution in the midst of an emergency only adds to the chaos—and any intended diversion.”
A member of the Neustar (Nasdaq: NSR) Security Operations Center offered some parting thoughts.
“It’s smart to ‘know your normal.’ What does your traffic usually look like? Knowing this will help you identify and mitigate attacks faster. Also, set your DNS TTL (time to life) low, especially ‘A’ records that are likely to become targets. Work with your upstream provider to see what they can block through their access control lists (ACL).”
A final piece of general advice: “have some protection and plans in place. It’s the same thing any type of first responder would tell you.”