Distributed denial of service attacks like the one the federal government faced Wednesday are “distracting, uncomfortable and can be damaging,” says an industry analyst. But of all the cyber attacks an organization faces they can be mitigated with planning.
Forrester Research analyst John Kindervag said in an this morning that CISOs need a two-step strategy to face DDoS attacks:
–First, have a firewall and/or intrusion protection system capable of handling short-term or small attacks;
–Second, see if your internet service provider has rugged DDoS mitigation capability. If not and your risk profile demands, invest in a managed third party DNS scrubbing service or a service that provides clean transport.
DDoS attacks were fairly controlled up until 2012, he said, when hactivist groups like Anonymous began using them as weapons. Since then the number of attacks has increased. Some are nuisance-based, while others are used for extortion or to mask hackers trying to break into a network.
“More organizations are prepared for DDoS than ever before,” he said. “There’s much more DDoS awareness.”
According to Arbor Networks, which makes DDoS mitigation solutions, Wednesday’s assault was comprised of 15 attacks spread over several hours aimed at several government sites. All attacks were from/to port 80 over UDP (User Datagram Protocol, a transport layer protocol), the company said in an email. “This is noteworthy,” it added, “as there shouldn’t be a need to accept UDP based traffic to port 80.”
The largest attack was 258.47 Mbps/624.22 Kpps. The longest attack lasted 54 minutes and peaked at 63.43 Mbps/153.19 Kpps.
The attacks came from widely distributed sources, including four from an anonymous IP address in South Korea, Arbor Networks said.
The graph above from Arbor Networks shows comparative traffic response time delays for canada.ca over several days when accessed from clients in the U.S. and Australia. The site became unresponsive at about the same time as the attacks that were reported into Arbor’s ATLAS network. Normally the response time is half a second or less. Shortly after noon Wednesday it shot up to 30 seconds and stayed there for about an hour, then becames intermittent.
Public Safety minister Stephen Blaney told reporters Wednesday no personal information was gained by attackers behind Wednesday’s apparent denial of service that temporarily blocked a number of federal Web sites.
The legislation, which is expected to come into effect later this year, gives new powers to law enforcement and intelligence agencies, including the Canadian Security Intelligence Service (CSIS).
Rafal Rohozinski of the SecDev Group, an Ottawa company that helps organizations analyze intelligence, told CBC News the attack should be considered political action than a cyber threat. “This is not a cyber security story and we should not blow it up to be one.”
The legislation says in part that CSIS can take “measures” — some of which may need a Federal Court order — if there are reasonable grounds to believe that a particular activity constitutes a threat to the security of Canada. “Measures” aren’t defined — they may come in the regulations that the government would detail after the legislation is given royal ascent — but it may include the power to shut down Web sites.
Police would also be able to ask a judge for the power to seize any publication that is terrorist propaganda. Within seven days a hearing must be held allowing the owner to explain why the material should not be forfeited.
The bill also allows government departments to more easily share personal data they hold to better detect threats. The Criminal Code would be changed to make it easier for police to make preventative arrests, and to criminalize the promotion of terrorism.
There were reports that Web sites of the ministries of Justice, Public Works and Government Services, the main Canada.ca page, Shared Services Canada (which is in the middle of merging the Web sites and IT departments of a number of ministires) and Canadian Security Intelligence Service (CSIS) among some of those that were temporarily down., as well as some email service.
Denial of service attacks attempt to overwhelm a Web site with requests, usually leveraging bots on unsuspecting servers that amplify and reflect the attack. Dave Lewis, Akamai Technologies’s global security advocate, told a Toronto security conference last week that DDoS attacks can be eliminated if CISOs hardened their systems better.
DDoS attacks range from nuisance thrusts made by hactivist groups to bored teenagers. As Lewis pointed out, they can be arranged cheaply by renting volume on the Dark Web. But in an interview Steve Neville, Trend Micro’s Ottawa-based director of cloud and data centre security. pointed out they also can be used to mask criminal attacks.
One of the latest strategies is extortion — threatening to take down a Web site unless the owner pays up. Feedly and Evernote are two sites that have faced these threats. According to DDoS solutions provider Arbor Networks, 20 per cent of DDoS attacks involve extortion.
In its latest annual report the security vendor noted that hactivist-based DDoS attacks are increasing. In January, for example, activists froze several German government sites to demand the country cut ties with Ukraine.
Nuisance attacks can have two goals — publicize a cause, in which case this attack has done well although it will have no impact on government policy — and humbling a target by putting it offline for a lengthy period of time. So far this attack had only modest success, apparently downing federal sites for only a couple of hours. Done daily, however, a nuisance can be turned into something crippling.
“Cyber security is an issue we take very seriously,” Blaney told reporters, noting the government in its last budget increased spending and is working with telecom companies “to increase the resilience and the unlikeliness of such attacks.”
When a reporter noted that despite this a group was still able to attack federal systems, he pointed out the government has a cyber strategy.