Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/11/2015
10:30 AM
Dave Larson
Dave Larson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

From GitHub to Great Cannon: A Mid-Year Analysis Of DDoS Attacks

The new and common face of DDoS today is its use as a smokescreen to conceal malicious activity in an overwhelming burst of traffic that stretch security layers to the brink.

One timeless cybersecurity truism is that adversaries continuously adapt and refine their tactics. Often, repurposing a well-understood attack method is valuable because defenders think they see a familiar episode coming – and overlook what is actually happening to their networks. To this end, the last six months show us important ways attackers are adapting distributed denial-of-service (DDoS) attacks. They are proving that what looks like an opportunistic nuisance at first can actually be part of an intricate break-in.

Recent headlines are dominated by issues like the infiltration of point of sale (POS) systems or destructive malware found at Sony Pictures. One might think DDoS threats are lower priority - a blunt force weapon for hacktivists seeking headlines more than harm. Reading between the lines, however, it is worth noting what the past half year is teaching us about DDoS trends. Not only have DDoS tactics evolved, but these attacks are placing new victims in the crosshairs while quietly flying under security teams’ radars.

These Aren’t Yesterday’s DDoS Attacks
Years ago, DDoS attacks were one-dimensional affairs – attackers tried all-out traffic deluges to knock websites or applications offline. The resulting noticeable disruption, itself, was the prime objective. However, today’s cyber attacks are more akin to Ocean’s Eleven than “smash-and-grab.” Attackers need intricacy to overcome tougher network defenses, and this is where DDoS can play an important role: Maybe not in “cracking the safe,” to continue the bank heist analogy, but surely for distracting guards or flattening doors and security cameras outside the vault.

Independent data from multiple DDoS researchers suggests that while there will always be large-scale, classic DDoS attacks sending websites reeling, the new and far more common face of DDoS is its use as a “masking agent” and security degradation tool at the perimeter. In essence, if you need to conceal something malicious, bury it within an overwhelming mass of traffic and fire it quickly at the target’s front gates extremely fast. If an attacker is experienced - or lucky - that short, precision burst will stretch security layers to the brink. These masking attacks succeed by exploiting narrow but common gaps; they find the point where perimeter security defenses “fail open” due to overload, yet evade the point where traffic anomalies prompt security teams to activate emergency, out-of-band anti-DDoS capacity. As an added bonus for attackers, the same short burst of traffic that delivers malware can overwrite and obscure log data that forensic teams will require, helping attackers cover their tracks.

This new twist on DDoS is on the rise. In the fourth quarter of 2014, the average enterprise was hit approximately 3.9 times per day, and many of these attacks were likely to overload security defenses but not of the caliber that would degrade service at the Web servers.

Unsuspecting Victims in the Crosshairs
Adding to DDoS attacks’ changing toll is the fact that these attacks are now striking more diverse types of businesses because malicious actors can now apply common attack techniques. Attacks used to be launched against large organizations such as financial services firms. But more recently video game platforms, such as the PlayStation Network and Xbox, and the popular code repository GitHub have been high-profile victims.

Attacks on gaming and entertainment platforms show that the success of these properties has taken them into attackers’ crosshairs. These attacks could have significant financial impacts for these companies, since subscribers may not be able to use purchased content or they may develop negative impressions of a service’s reliability and security.

For hosting services beyond GitHub, the era of fluid on-demand hosting is proving to be a double-edged sword. On the one hand, it is easier than ever to set up an accessible online web property and competitively earn a lot of business. However, any individual hosted customer code could be a magnet for attacks from all manner of adversaries. Hosting firms can be safely anonymous one day - and suddenly fending-off damaging DDoS attacks the next. Therefore, hosting providers have to assume that their infrastructures will be under perpetual attack regardless of the apps and data they support.

Why “Great Cannon” Reverberates
Many sensitive enterprises are likely asking their hosting providers and security teams if they could withstand an attack from China’s reputed “Great Cannon” system of rerouting certain types of Web traffic to serve as DDoS salvos. Because Great Cannon plays into geopolitics, it reminds many audiences that DDoS attacks figure into some of the most volatile front lines around network defense, free speech and anti-censorship.

Once you look past the international relations angle, however, it becomes apparent that the Great Cannon episode simply underscores the Internet’s vulnerability any time attackers manipulate traffic. In this case, it was relatively easy for an adversary to take advantage of common Web traffic, susceptible routers and PCs, and turn even benign Web surfing looking for information on anti-censorship tools to effectively suppress an online repository where those tools were available.

Every isolated or spectacular cyber assault sets quiet precedent, so where will the next “Great Cannon” be fired – and for what type of geopolitical, extortion, or other motive? We have to realize that techniques like DDoS are never retired – they are simply used at different scale and specificity.

DDoS Perpetrators Benefit from “Breach Fatigue”
Over the past year, many security teams have faced pressure from executives and customers to do as much as they can to stop malware-driven data breaches. Compared to threats synonymous with stolen internal data, DDoS attacks are often perceived as an “external” issue with less-immediate consequences. Yet attackers are finding new ways to apply DDoS tactics, and their ability mask malware, alone, means this is a changing breed of threats defenders cannot afford to overlook or misinterpret.

Security teams are hard pressed to match wits with every threat, every time. However, it is imperative that they keep an eye on attackers’ latest DDoS masks and smokescreens. Staying ahead of the DDoS curve can go a long way to ensuring that you have a robust and adaptive security operation.

Dave Larson is the Chief Technology Officer (CTO) and Vice President, Product, at Corero Network Security. He has more than 20 years of experience in the network security, data communication and data center infrastructure industries, having served as CTO for HP Networking, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).