When Is DDoS a Ruse?

The article below highlights how a distributed denial of service (DDoS) attack can be used as a ruse to direct attention “over here” while the bad guys get to work “over there”.
It also points out the value of outsourcing certain portions of IT security to an external provider — one who likely has significantly more experience dealing with such issues and thus is more qualified to handle them quickly and professionally.
Article by Ian Murphy in Business-Cloud.com.
Emphasis in red added by me.
Brian Wood, VP Marketing

When companies come under cyber attack, their primary concern is keeping the business running but few do a good enough job of examining what happened.
Companies are increasingly suffering from Distributed Denial of Service attacks. These flood servers with requests until the servers slow down or stop. Even when a company has its servers hosted in the cloud, the attack can be so severe, that the only solution is to activate a disaster recovery plan where services are restored from a different location.
Although only 30% of UK companies, less than half the number in the US, were subjected to a DDoS attack in 2013, the size and misdirection of the attacks was more serious. Some UK companies were lucky to be hit just once over the year while 9% were hit weekly and 10% claim to have given up counting.
These are not simple attacks. According to research from Neustar, 30% of the attacks last 1-2 days with longer lasting attacks, such as those persisting for a week, making up 9% of the total. That 9% is good news because in 2012 over 22% of companies surveyed claimed attacks had lasted a week or more.
The size of the attacks has become a serious cause for concern. This is due to the ready availability of botnets, the speed with which rental prices for them have fallen and the increase in computers attached to high bandwidth Internet. Between 2012 and 2013, attacks using bandwidth of between 1-20Gbps increased from 19% to 57%. This growth exceeds the available bandwidth of many small to mid size companies and is a major reason why they are so effective.
The largest attack measured by Neustar came in early 2014 when it saw an attack of 400Gbps. An attack of that size is capable of taking down some of the very largest of companies.

Hacktivists and criminals using smokescreens for other attacks.

While some of the attacks come from hacktivists and those with a grudge against the company or its products, the vast majority are now being launched by cyber criminals. In both cases, DDoS attacks are being used to generate a smokescreen and misdirect security, much in the same way a street thief will make sudden moves to distract their victim.
When companies did a thorough investigation into the DDoS attacks and their responses, 42% were shocked to realised that they had been the victims of theft and other damage. Hacktivists will often use DDoS to give them time to deface websites and look for data to back up their claims and causes.
Criminals, however, have a very different agenda. The DDoS attacks that were launched by criminal gangs targeted financial data and funds, customer data and increasingly, intellectual property. The scale of the success is still relatively small but in one case in the US, the DDoS attack masked an attack of bank customer credentials that led to over $9 million being stolen in just 40 hours from ATMs.
What makes it easy for criminals to get away with this is the low level of education and knowledge around how DDoS is being used to misdirect security teams. Rodney Joffe, Neustar Senior Vice President and Senior Technologist says “when there’s a tremendous storm, you run around your house making sure all the windows are closed and you’ve got the flashlights ready. You’re not worried about anything else.
“DDoS attacks are similar. They create a hands-on-deck mentality, which is understandable but dangerous.” What Joffe is referring to is that a large DDoS attack pulls in the entire operations and security teams to deal with mitigation. That means that nobody is watching firewalls and other parts of the security system.

Spotting and mitigating a DDoS attack

The challenge for many companies in dealing with a DDoS attack is not what do you do when it happens but how you spot it coming.

  1. Understand your network architecture.
  2. Map traffic patterns to see what is normal.
  3. Actively try and identify data being exfiltrated to spot what is going to trusted external apps and what is being stolen.
  4. Talk to your network provider to see what processes they have to detect and mitigate attacks.
  5. Review security training for all staff, especially around DDoS and how to spot misdirection.

There are other things that can be done such as regularly reviewing security products and considering moving your DNS into the cloud. This helps alleviate training gaps and improve security through the use of bigger security teams.
Another option is to look at the security solutions you have in house and decide which ones should can be maintained by internal staff and which could be remotely managed by a partner.
DDoS is a nasty problem but Neustar are keen to point out that it can be managed. The most important thing when under attack is to ask “is this just a DDoS or could something else be going on?”