From GitHub to Great Cannon: A Mid-Year Analysis Of DDoS Attacks

The new and common face of DDoS today is its use as a smokescreen to conceal malicious activity in an overwhelming burst of traffic that stretch security layers to the brink.

Dave Larson, CTO & VP, Product, Corero Network Security

June 11, 2015

5 Min Read

One timeless cybersecurity truism is that adversaries continuously adapt and refine their tactics. Often, repurposing a well-understood attack method is valuable because defenders think they see a familiar episode coming – and overlook what is actually happening to their networks. To this end, the last six months show us important ways attackers are adapting distributed denial-of-service (DDoS) attacks. They are proving that what looks like an opportunistic nuisance at first can actually be part of an intricate break-in.

Recent headlines are dominated by issues like the infiltration of point of sale (POS) systems or destructive malware found at Sony Pictures. One might think DDoS threats are lower priority - a blunt force weapon for hacktivists seeking headlines more than harm. Reading between the lines, however, it is worth noting what the past half year is teaching us about DDoS trends. Not only have DDoS tactics evolved, but these attacks are placing new victims in the crosshairs while quietly flying under security teams’ radars.

These Aren’t Yesterday’s DDoS Attacks
Years ago, DDoS attacks were one-dimensional affairs – attackers tried all-out traffic deluges to knock websites or applications offline. The resulting noticeable disruption, itself, was the prime objective. However, today’s cyber attacks are more akin to Ocean’s Eleven than “smash-and-grab.” Attackers need intricacy to overcome tougher network defenses, and this is where DDoS can play an important role: Maybe not in “cracking the safe,” to continue the bank heist analogy, but surely for distracting guards or flattening doors and security cameras outside the vault.

Independent data from multiple DDoS researchers suggests that while there will always be large-scale, classic DDoS attacks sending websites reeling, the new and far more common face of DDoS is its use as a “masking agent” and security degradation tool at the perimeter. In essence, if you need to conceal something malicious, bury it within an overwhelming mass of traffic and fire it quickly at the target’s front gates extremely fast. If an attacker is experienced - or lucky - that short, precision burst will stretch security layers to the brink. These masking attacks succeed by exploiting narrow but common gaps; they find the point where perimeter security defenses “fail open” due to overload, yet evade the point where traffic anomalies prompt security teams to activate emergency, out-of-band anti-DDoS capacity. As an added bonus for attackers, the same short burst of traffic that delivers malware can overwrite and obscure log data that forensic teams will require, helping attackers cover their tracks.

This new twist on DDoS is on the rise. In the fourth quarter of 2014, the average enterprise was hit approximately 3.9 times per day, and many of these attacks were likely to overload security defenses but not of the caliber that would degrade service at the Web servers.

Unsuspecting Victims in the Crosshairs
Adding to DDoS attacks’ changing toll is the fact that these attacks are now striking more diverse types of businesses because malicious actors can now apply common attack techniques. Attacks used to be launched against large organizations such as financial services firms. But more recently video game platforms, such as the PlayStation Network and Xbox, and the popular code repository GitHub have been high-profile victims.

Attacks on gaming and entertainment platforms show that the success of these properties has taken them into attackers’ crosshairs. These attacks could have significant financial impacts for these companies, since subscribers may not be able to use purchased content or they may develop negative impressions of a service’s reliability and security.

For hosting services beyond GitHub, the era of fluid on-demand hosting is proving to be a double-edged sword. On the one hand, it is easier than ever to set up an accessible online web property and competitively earn a lot of business. However, any individual hosted customer code could be a magnet for attacks from all manner of adversaries. Hosting firms can be safely anonymous one day - and suddenly fending-off damaging DDoS attacks the next. Therefore, hosting providers have to assume that their infrastructures will be under perpetual attack regardless of the apps and data they support.

Why “Great Cannon” Reverberates
Many sensitive enterprises are likely asking their hosting providers and security teams if they could withstand an attack from China’s reputed “Great Cannon” system of rerouting certain types of Web traffic to serve as DDoS salvos. Because Great Cannon plays into geopolitics, it reminds many audiences that DDoS attacks figure into some of the most volatile front lines around network defense, free speech and anti-censorship.

Once you look past the international relations angle, however, it becomes apparent that the Great Cannon episode simply underscores the Internet’s vulnerability any time attackers manipulate traffic. In this case, it was relatively easy for an adversary to take advantage of common Web traffic, susceptible routers and PCs, and turn even benign Web surfing looking for information on anti-censorship tools to effectively suppress an online repository where those tools were available.

Every isolated or spectacular cyber assault sets quiet precedent, so where will the next “Great Cannon” be fired – and for what type of geopolitical, extortion, or other motive? We have to realize that techniques like DDoS are never retired – they are simply used at different scale and specificity.

DDoS Perpetrators Benefit from “Breach Fatigue”
Over the past year, many security teams have faced pressure from executives and customers to do as much as they can to stop malware-driven data breaches. Compared to threats synonymous with stolen internal data, DDoS attacks are often perceived as an “external” issue with less-immediate consequences. Yet attackers are finding new ways to apply DDoS tactics, and their ability mask malware, alone, means this is a changing breed of threats defenders cannot afford to overlook or misinterpret.

Security teams are hard pressed to match wits with every threat, every time. However, it is imperative that they keep an eye on attackers’ latest DDoS masks and smokescreens. Staying ahead of the DDoS curve can go a long way to ensuring that you have a robust and adaptive security operation.

About the Author(s)

Dave Larson

CTO & VP, Product, Corero Network Security

Dave Larson is the Chief Technology Officer (CTO) and Vice President, Product, at Corero Network Security. He has more than 20 years of experience in the network security, data communication and data center infrastructure industries, having served as CTO for HP Networking, Vice President of the HP Networking Advanced Technology Group, Vice President of Integrated Product Strategy at TippingPoint, as well as other roles.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights