Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Dave Larson
Dave Larson
Connect Directly
E-Mail vvv

From GitHub to Great Cannon: A Mid-Year Analysis Of DDoS Attacks

The new and common face of DDoS today is its use as a smokescreen to conceal malicious activity in an overwhelming burst of traffic that stretch security layers to the brink.

One timeless cybersecurity truism is that adversaries continuously adapt and refine their tactics. Often, repurposing a well-understood attack method is valuable because defenders think they see a familiar episode coming – and overlook what is actually happening to their networks. To this end, the last six months show us important ways attackers are adapting distributed denial-of-service (DDoS) attacks. They are proving that what looks like an opportunistic nuisance at first can actually be part of an intricate break-in.

Recent headlines are dominated by issues like the infiltration of point of sale (POS) systems or destructive malware found at Sony Pictures. One might think DDoS threats are lower priority - a blunt force weapon for hacktivists seeking headlines more than harm. Reading between the lines, however, it is worth noting what the past half year is teaching us about DDoS trends. Not only have DDoS tactics evolved, but these attacks are placing new victims in the crosshairs while quietly flying under security teams’ radars.

These Aren’t Yesterday’s DDoS Attacks
Years ago, DDoS attacks were one-dimensional affairs – attackers tried all-out traffic deluges to knock websites or applications offline. The resulting noticeable disruption, itself, was the prime objective. However, today’s cyber attacks are more akin to Ocean’s Eleven than “smash-and-grab.” Attackers need intricacy to overcome tougher network defenses, and this is where DDoS can play an important role: Maybe not in “cracking the safe,” to continue the bank heist analogy, but surely for distracting guards or flattening doors and security cameras outside the vault.

Independent data from multiple DDoS researchers suggests that while there will always be large-scale, classic DDoS attacks sending websites reeling, the new and far more common face of DDoS is its use as a “masking agent” and security degradation tool at the perimeter. In essence, if you need to conceal something malicious, bury it within an overwhelming mass of traffic and fire it quickly at the target’s front gates extremely fast. If an attacker is experienced - or lucky - that short, precision burst will stretch security layers to the brink. These masking attacks succeed by exploiting narrow but common gaps; they find the point where perimeter security defenses “fail open” due to overload, yet evade the point where traffic anomalies prompt security teams to activate emergency, out-of-band anti-DDoS capacity. As an added bonus for attackers, the same short burst of traffic that delivers malware can overwrite and obscure log data that forensic teams will require, helping attackers cover their tracks.

This new twist on DDoS is on the rise. In the fourth quarter of 2014, the average enterprise was hit approximately 3.9 times per day, and many of these attacks were likely to overload security defenses but not of the caliber that would degrade service at the Web servers.

Unsuspecting Victims in the Crosshairs
Adding to DDoS attacks’ changing toll is the fact that these attacks are now striking more diverse types of businesses because malicious actors can now apply common attack techniques. Attacks used to be launched against large organizations such as financial services firms. But more recently video game platforms, such as the PlayStation Network and Xbox, and the popular code repository GitHub have been high-profile victims.

Attacks on gaming and entertainment platforms show that the success of these properties has taken them into attackers’ crosshairs. These attacks could have significant financial impacts for these companies, since subscribers may not be able to use purchased content or they may develop negative impressions of a service’s reliability and security.

For hosting services beyond GitHub, the era of fluid on-demand hosting is proving to be a double-edged sword. On the one hand, it is easier than ever to set up an accessible online web property and competitively earn a lot of business. However, any individual hosted customer code could be a magnet for attacks from all manner of adversaries. Hosting firms can be safely anonymous one day - and suddenly fending-off damaging DDoS attacks the next. Therefore, hosting providers have to assume that their infrastructures will be under perpetual attack regardless of the apps and data they support.

Why “Great Cannon” Reverberates
Many sensitive enterprises are likely asking their hosting providers and security teams if they could withstand an attack from China’s reputed “Great Cannon” system of rerouting certain types of Web traffic to serve as DDoS salvos. Because Great Cannon plays into geopolitics, it reminds many audiences that DDoS attacks figure into some of the most volatile front lines around network defense, free speech and anti-censorship.

Once you look past the international relations angle, however, it becomes apparent that the Great Cannon episode simply underscores the Internet’s vulnerability any time attackers manipulate traffic. In this case, it was relatively easy for an adversary to take advantage of common Web traffic, susceptible routers and PCs, and turn even benign Web surfing looking for information on anti-censorship tools to effectively suppress an online repository where those tools were available.

Every isolated or spectacular cyber assault sets quiet precedent, so where will the next “Great Cannon” be fired – and for what type of geopolitical, extortion, or other motive? We have to realize that techniques like DDoS are never retired – they are simply used at different scale and specificity.

DDoS Perpetrators Benefit from “Breach Fatigue”
Over the past year, many security teams have faced pressure from executives and customers to do as much as they can to stop malware-driven data breaches. Compared to threats synonymous with stolen internal data, DDoS attacks are often perceived as an “external” issue with less-immediate consequences. Yet attackers are finding new ways to apply DDoS tactics, and their ability mask malware, alone, means this is a changing breed of threats defenders cannot afford to overlook or misinterpret.

Security teams are hard pressed to match wits with every threat, every time. However, it is imperative that they keep an eye on attackers’ latest DDoS masks and smokescreens. Staying ahead of the DDoS curve can go a long way to ensuring that you have a robust and adaptive security operation.

Dave Larson is the Chief Technology Officer (CTO) and Vice President, Product, at Corero Network Security. He has more than 20 years of experience in the network security, data communication and data center infrastructure industries, having served as CTO for HP Networking, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.