DDoS attacks: Criminals get stealthier
There is a lot of media hype surrounding volumetric style DDoS attacks recently where the focus has been on large Gb/sec attacks, sometimes up to 400 Gb/sec. In reality, these are very rare and these big and dumb style attacks make one wonder if they are just being used as a distraction to take up resources and divert IT operations’ efforts in the wrong place so that hackers can get into websites unnoticed. Bottom line is that DDoS attacks are a serious security threat that evolve every day, much like the sophistication of the criminals that launch the attacks.
Therefore, significant changes are taking place in the type and style of attacks that we are seeing. From headless browsers and application layer attacks to using a DDoS attack as cover for more sinister cyber attacks, every security professional needs to understand that DDoS is not a static problem that can be dealt with and then ignored. It evolves; and the tactics for defending against them need to advance even faster.
There are a variety of reasons for the evolution:
- Better general awareness about DDoS attacks has forced attackers to develop new ways to get around the basic defenses.
- Media attention for high profile DDoS attacks attracts activists with a message. Groups try to outdo one another in a bid for attention.
- A growing variety of coding practices, web platforms and features used in web design have created an increasing number of variables which can result in application exploits, rendering a website useless.
- With more access to high-CPU devices available through the cloud and dedicated hosting, DDoS attackers can now use that CPU to run more sophisticated attacks.
For these reasons, we are seeing more sophistication in the style of attacks used, meaning there is less volume and attackers are targeting very specific vulnerabilities in a website by doing their homework to make sure they target the weakest points.
One of the stealthiest ways that we are seeing attackers attempting to sneak past defences are headless browsers that are a clever way for cyber criminals to get around standard DDoS protection in order to masquerade as legitimate web traffic. The kit itself is used for programmers to test their websites, so for all intents and purposes, it is a legitimate browser web kit. It’s just been modified to run a series of queries and target basic UIs on a website. When used maliciously, they enable attackers to launch sophisticated DDoS attacks that can leave websites paralysed. Detection is difficult and stopping a headless browser DDoS attack can be a bit like playing a game of “whack-a-mole”.
Importantly, with headless browsers, Javascript and Captcha can be processed and it can jump through hoops of the website, as it was designed for testing; this will be a big problem for more traditional DDoS protection, like box solutions. What will be most effective here is real time support, where there is a human involved that can develop some rulesets to determine what is going on and then implement these modules within seconds.
Application layer attacks are also becoming more and more prominent to the point where you might not even notice them- if you don’t know what you are looking for. Attackers are getting better at reconnaissance and doing their research to perform smarter attacks that keep the volume low and under the radar, meanwhile killing the site in the background and fooling IT into spending time on the wrong part of the site when it is down. This isn’t a bunch of kids getting together on 4Chan for bragging rights, they know what is at stake and do reconnaissance on the website- it is a very thorough process.
Put simply: the intention of a DDoS is to take down a site; and if attackers can do it with one packet- why wouldn’t they? With an application layer attack, it doesn’t have to be volumetric. If an attacker did due diligence to find that an area of the site, say a registration page, could only handle a certain low number of users at the same time- an attacker could target that page and easily take down the site.
Where DDoS attacks are concerned, the big and dumb attack is getting easier to deal with- while they still cause havoc and of course we still need to pay attention to volumetric attacks, they are easy to see and identify to make a pattern. We do still see these around as they are easy to generate, but at the same time they are just as easy to mitigate. It is the application attacks and headless browser attacks that we see as the biggest concern for the future. I can only surmise that the media hype is fueling the focus on volumetric DDoS attacks, which in turn is where the industry seems to be concentrating to meet expectations of customers. When actually, there is a rise in application attacks and we should be educating companies about these threats, as they will be the ones that will be the real consequence for businesses who place any sort of importance on their websites.
Jag Bains is the CTO of DOSarrest.