Another day, another distributed denial of service (DDoS) attack. This time, banks in Indonesia and South Korea are bolstering security after being hit by a flood of network traffic designed to take down their web sites. These are the attacks we’ve become accustomed to since Mafiaboy — Canada’s home-grown hacking nuisance — began serving them up in 2000.
Thanks to Mafiaboy and modern attackers like the hacktivist group Anonymous, we normally think of DDoS as a sledgehammer designed to hammer an online service until it goes offline. But sometimes, things can be more nuanced than that.
Conventional DDoS attacks involve pointing hordes of hacked machines at your target and pressing the ‘go’ button. The machines all send network traffic to the server (such as TCP/IP handshake requests and ICMP messages) until its bandwidth becomes clogged, meaning it can’t serve any legitimate requests. This approach, which relies on the sheer volume of traffic, is certainly one way to do it, and it’s known as a volumetric, network-layer attack. It isn’t the only kind, though.
There are also application-layer attacks, which are far harder to spot. Instead of yelling at a server until it submits, they whisper quietly to it, and send it mad. They are also known as layer 7 attacks, because instead of sending at layers 2 and 3 of the OSI network stack designed to facilitate conversations with routers and computers, they focus on higher-level communications with the applications that run on those computers.
An application-layer attack talks to database and web server software. It issues repeated requests designed to make these applications use more CPU and memory resources. ‘Please let me download that file,’ it might say. Or ‘I just filled out your web form, can you process it?’ Or ‘can you run this database query?’ This pestering requires far less bandwidth to be effective, eventually downing the server while possibly leaving the network connection up.
A more insidious DDoS threat
Web application attacks are becoming more popular. They grew by a quarter between Q4 2015 and Q1 2016, according to Akamai’s Q1 DDoS report. They are a significant threat, because they can be more difficult to detect. Along with some volumetric attacks, they are also contributing to a relatively new class of attack, known as ‘dark’ or ‘smokescreen’ DDoS. These attacks don’t seek to knock a service completely offline just for the sake of it, explained Bogdan Botezatu, senior e-threat analyst at security software company Bitdefender.
“Dark DDoS is a technique used by attackers to distract IT administrators from network breaches,” he explained. “By using low-bandwidth denial of service attacks to fill logging systems with massive amounts of DDoS-related data, attackers are able to mask the network’s breach and avoid being detected.”
These attacks misdirect IT staff into grappling with the DDoS attacks to stop their computing services slowing down or stopping. At the same time, they make the attacker’s real actions — typically inserting malware or exfiltrating data — more difficult to see. Their very nature makes them difficult to detect.
These attacks typically serve less than a Gbit/sec of traffic, which is relatively small in DDoS terms. In the first quarter of this year alone, there were 16 volumetric DDoS attacks each serving up over 100Gbit/sec of traffic, said Akamai. These small attacks can be difficult to mitigate using conventional anti-DDoS services.
So while watching for DDoS activity is an obvious piece of advice for IT operations staff, they would do well to heed another: watch your logs. A smaller DDoS attack could belie something more sinister, serving as a Trojan horse for a more targeted, intelligent attack on your computing assets that goes beyond simply causing confusion and delay. Proper log analysis software and security analytics can serve alongside inline DDoS mitigation tools as a way to stop attackers taking out your computing resources while slipping something nasty into your system.