Surviving in the Age of Internet PiratesBy Kerry Butters
DDoS (distributed denial of service) attacks have been around for many years, but recently they’ve become more high-profile, hitting bigger targets. It’s now not solely the domain of hacktivist groups — extortion is more often the name of the game.
Imagine the scenario: you run a site capable of generating a lot of money every hour of the day. One day your site gets taken out by a DDoS attack, and you receive a message saying unless you pay a ransom, your site will remain down indefinitely.
What do you do? On the one hand you don’t want to give in to extortion and pay the bad guys, but on the other you really don’t want to lose your site and its income.
A Cautionary Tale
Just such an attack recently took down Code Spaces, which for seven years had offered source code repositories and project management services to an impressive customer base.
According to a statement from Code Spaces, following a DDoS attack on the site an intruder managed to access its Amazon Web Services control panel. The attacker took control and contacted Code Spaces staff offering to return control of the panel — once they had received a large sum of money. Code Spaces attempted to regain control, and the attacker responded by deleting panel entries at random.
Most of the company’s data, backups, machine configurations and offsite backups were either partially or completely deleted by the time they regained control. In 12 hours, the attacker did enough damage to put Code Spaces out of business forever. The damage wasn’t just financial, but human — six people presumably lost their jobs when the business went down.
To clarify, the AWS servers were never actually hacked, and the Code Spaces’ database wasn’t stolen. What appears to have happened is the attacker found a way to access control panels but didn’t have access to Private Keys.
Was the attack preventable? It’s not clear what steps Code Spaces took to regain control, just that significant damage was done while the team was locked out. What’s clear is that it’s a bad idea to rely on just one service for your whole infrastructure.
Code Spaces don’t believe the attack was perpetrated by an ex- or current employee, so 2FA (two-factor authentication) may also have prevented the attack. They also didn’t have a disaster/incident response plan in place. If they had moved quickly and informed AWS early, it’s highly probable they could’ve saved the day — and the business.
Types of Attack
There are many different types of DDoS attack, but some are more common than others. The most common are:
- CP Connection Attacks – these attempt to use all of the available connections and connect to infrastructure devices such as load balancers, app servers and firewalls.
- Volumetric Attacks – these consume bandwidth within the target network and/or between the network and the rest of the internet.
- Fragmentation Attacks – these send a flood of UCP or TCP fragments to the target network/victim which overwhelm the ability to reassemble the streams, which in turn reduces performance significantly.
- Application Attacks – these can be effective even without a huge botnet, just a few attacking machines are necessary to carry out the attack as they attempt to overwhelm a specific part of an app or service.
- NTP-based Attacks are becoming more common and can amplify traffic requests in much the same manner as a fragmentation attack by using the NTP protocol to request large replies.
Stopping DDoS Attacks
The above shows a map of global DDoS attacks taking place in real time – attacks are displayed as dotted lines and show the source and destination countries of attack traffic.
Sadly, Code Spaces is far from an isolated case and DDoS attacks are extremely difficult, if not nigh on impossible, to detect and prevent. According to the latest Quarterly Global DDoS Attack Report commissioned by Prolexic, compared to the same period in 2013, there’s been a 22% increase in attacks in 2014.
These days, the majority of attacks use botnets. They are the most effective form of attack, they distribute the attack completely and they are relatively simple to perform. Most botnets recruit Windows computers as bots, but in 2012 the Flashback botnet infected more than 600,000 Macs.
Not every cyber-attacker will own a botnet, but you can rent them by the hour for as little as $200 per day. Ideal for a couple of afternoon’s work extorting cash from website owners.
The perfect solution would be to eliminate botnets, but since we’re not winning the fight against cybercrime as malware authors become increasingly sophisticated, this doesn’t look likely.
Prevention is Key
One simple way to avoid an attack is simply to buy more bandwidth, but this isn’t enough to stop a large scale attack. It’s better, where possible, to have a number of servers scattered throughout multiple data centers and to use good load balancing which can be provided through cloud services such as that offered by Rackspace.
There are commercial services available from a few companies that can help to mitigate the risk and to clean up quickly when one of their customers is attacked. Again, this is achieved by having a large scale network and it’s safe to assume that these may be priced too highly for many smaller businesses or individuals.
CDNs (content delivery networks) can also be used to send files to customers in a distributed manner, which can also help to protect against DDoS attacks.
Protecting your Network
Tie your network down as much as possible to help prevent attacks. Ensure routers are properly configured, drop junk packets and if you don’t need certain protocols such as ICMP to be running, then stop them. You should also have a high-quality hardware firewall in place and ensure that all connected machines are running security software and have all of the latest software patches applied for both the OS and other, third-party software, such as Office, Adobe products and Java.
Since many modern websites use dynamic resources, this makes it more difficult to mitigate risk. This often leads to database failure when an attack takes place, even if it’s relatively small scale. Consider the use of caching servers to provide static content where possible.
It’s also a good idea to have a monitoring system in place, as DDoS attacks tend to get gradually worse as the attack takes hold. The earlier that you can be alerted and take action, the better chance you have. Monitors should first be put in place to record what’s considered to be ‘normal traffic’ for the network. Then alerts should be set up so that if an increase in bandwidth and network traffic is detected, the IT admin can be notified and try to mitigate the attack.
Early detection is key if a full-scale attack is to be avoided and even then, it’s difficult to do much about it without a greater bandwidth than the attacker. The worst thing is that currently, the size of individual DDoS attacks is also increasing.
Putting Together an Incident Response Plan
In order to be able to respond quickly to any threat and especially loss of data an incident response plan is vital to a business’s survival. While many companies don’t employ a plan, they’re not difficult to write and implement but are a key part of getting systems back to normal quickly.
The document should cover:
- Emergency response plan: This should cover what needs to be done immediately in order to set the plan into action. If authority is needed in order for the plan to be launched, then contact information and procedures should be listed here first.
- People: A list of important contacts such as the IT support company used and the key contact person should be provided. Additionally, it’s important to assign at least one person who deals with backup and recovery so that systems can be brought online again with a minimum of downtime. If the company employs a DDoS protection service, then these should also be on the list as well as the names of the key internal IT staff and those responsible for implementing business continuity plans.
- Documentation: This should list where all the relevant documentation can be found for any given situation. Remember that incident response plans will cover things such as fire and theft too, so it’s important that all information, even that kept offsite, can be accessed for all eventualities.
- Backup and recovery procedures: This should cover how the data is backed up and where it’s stored, as well as who is responsible and what rules have to be followed with regards to regulations for things like PCI DSS.
- Alternative downtime technology: In the event of downtime, loss in revenue is often made worse as staff can’t physically work at their machines as usual. With this in mind, it’s a good idea to make provisions so that work can continue as much as possible away from the network. This could mean employees working from home while the system is recovered, or the setting up of backup systems for key personnel.
- Policies and procedures: To prevent people running around like headless chickens, it’s important to set up step-by-step procedures for them depending on their role. For example, IT staff should inform support companies and supplies, and there should be clear instructions and contacts contained within the document which enable them to do so quickly and confidently.
It’s important staff are aware of the plan and what their particular role requires them to do. It’s also vital to revisit the plan regularly as new practices within the company come into play to ensure it’s always up-to-date.
What can the Community Do?
Aside from locking down our own networks as much as possible, blocking those ports at firewall level that don’t need to be routing traffic, and monitoring bandwidth and files, there’s not a great deal the average person can do. However, as a community, it’s easiest to fight back through education. DDoS attacks are much higher in the public consciousness since Anonymous and LulzSec began to appear more regularly in the news, especially when they hit large targets such as PayPal.
These hacktivist groups are all but dead in the water now since the FBI and other international law enforcement agencies prosecuted many of the groups’ leaders. But they have meant that more people are aware of the existence of such attacks.
It’s the responsibility of the internet community to be vigilant and to do what they can to educate people about malware. About 80,000 people per day still fall for phishing scams, which often seem very obvious to the knowledgeable.
We can tell our clients — after all, a business client that understands how their profits might be affected is likely to listen — how to protect themselves. We can tell family and friends and ensure that we get involved in discussion. Social media is a great channel and there are online resources which alert people to common scams such as Hoax Slayer and Snopes, which can help to boost education.
Good protection at individual machine and network level is vital to overcoming the issue in the long term. Prevention, network protection, and a robust incident response plan can help keep you safe. But the issue is wider than that: Unless the wider community is aware of the dangers, they’ll continue to be infected with malware, recruited to botnets, and DDoS attacks will continue to damage businesses.
Have you prepared an incident response plan? What have your experiences dealing with online threats taught you?