DL
Most associate the term ‘DDoS’ with system downtime, as they should because after all, the term actually indicates “Denial of Service”. A key factor that many are not aware of or neglect to contemplate is that attackers are getting smarter, and are utilising more sophisticated measures as they target, profile and infiltrate networks. Attackers don’t always want to completely deny service with the use of DDoS attacks; most often the goal is quite the opposite, they actually want the network to stay up, simply using DDoS as a distraction technique. By using DDoS as a diversionary tactic, they are able to map the floor plan of a targeted network, determine weak points and vulnerabilities that can be exploited and misdirect the efforts of the security team by overwhelming traditional IT security infrastructure and flooding logging tools with DDoS data.
Another misconception that people have regarding DDoS is that they equate it with only one type of attack vector – volumetric. Volumetric DDoS attacks can be identified easier and media coverage tends to only publicise this kind of high bandwidth attack.
Corero Network Security has recently has observed a change in how DDoS is being used by attackers as a mechanism for data exfiltration and breach activity. Corero has identified a use of brute force DDoS attacks as well as the implementation of more adaptive, multi-vector methods, it is by these means that attackers are using DDoS attacks to profile a target network’s security defences.
An initial attack of very high capacity may last around 15-20 minutes. After the initial ‘blast’ of sub saturating attack traffic, the attacker backs off and a second attack is launched with a much lower threshold. Sooner or later the security defences would permit the traffic to go through as it is characterised by the network security perimeter to be within the parameters of normal threshold network traffic. They key factor in this scenario is that the DDoS attack is not completely denying service as it does not wield enough volume to fully saturate the pipe—and there is a good explanation for this.
Partial saturation attacks like these have enough capacity to take down IPS’s, Web Application Servers, Firewalls, and other back end infrastructure. It is clear that attackers are creating sophisticated security evasion techniques that utilise both multi-vector and traditional DDoS attacks of high capacity. Further attacks are subsequently chosen based on their design to circumvent layered protection that may be in place. Attackers’ finely honed skills and sophisticated reconnaissance tools play a part in being able to tell when and where the network is responding, thus allowing them to profile networks, even to the degree of pinpointing the brand of security defenses in place.
The DDoS threat landscape is a broad and constantly evolving topic, but the idea that DDoS attacks are used as a diversionary tactic or profiling mechanism is frequently ignored or brushed aside. When looking at forensic archive data around DDoS attacks, you usually see things like brute force login attempts that occur at the same time as the DDoS attack itself – this is further evidence that the DDoS component of the incursion was never about the denial of service. Attackers are trying to circumvent defences and are looking for holes they can exploit, and DDoS is proving to be a fantastic smoke screen for making sure that all their incursions are obscured, or in many cases never even captured by the event logging tools that many organisations rely on to alert them of breach activity in the event their defences fail.
As DDoS attack techniques continue to evolve, it is necessary for organizations to begin matching their defence posture to keep up with these threats. The Internet connected business can no longer afford to wait until the attack has occurred to implement security measures – the protection must begin before the attack has been executed. Organisations need to prepare themselves with modern real-time DDoS detection and mitigation capabilities that incorporate both intelligent and automated filtering and detailed security forensics to defeat these new and advanced evasion threats.
About Dave Larson, CTO at Corero Network Security
Dave Larson is Vice President, Product and Chief Technology Officer of Corero Network Security, driving the strategic direction, and execution of the overall product strategy of Corero’s DDoS mitigation and visualization business comprised of the award-winning SmartWall and SecureWatch platforms. In addition, Larson, leads Corero’s Product Management and Marketing organizations. He brings over 20 years’ experience successfully building innovative solutions and businesses for both startup ventures as well as multi-billion dollar public entities. He leads Corero’s delivery of enterprise and Telco grade, high-performance anti-DDoS solutions; one of the fastest growing segments of the network security market globally.