Today’s DDoS attacks are almost unrecognizable from the simple volumetric attacks that gave the technique its name. No longer the preserve of bad actors coding in their bedrooms to carry out protests, today’s attacks have the power to wreak significant damage – as all those affected by the TalkTalk and Carphone Warehouse breaches last year will know.
These attacks are far more sophisticated, deceptive and frequent. They are no longer designed simply to deny service, but to deny security, by acting as a camouflage to mask more sinister activities – usually data theft and network infiltration.
We call this kind of attack ‘Dark DDoS’ because it acts as a smokescreen to distract IT teams from the real breach that’s taking place, which could see data being exfiltrated, networks being mapped for vulnerabilities, or a whole host of other potential risks manifesting themselves due to the hackers’ actions.
In a large proportion of data breaches reported over the last few years, DDoS attacks have been occurring simultaneously, as a component of a wider strategy; meaning hackers are utilizing this technique in a significant way. But how are the hackers using Dark DDoS for their nefarious ends and how can security practitioners stay one step ahead?
Dark DDoS is a unique tool in the hacker’s toolkit since it evades many of the DDoS scrubbing center legacy solutions that are still widely adopted today. Before hackers flood a network with traffic, they tend to search a network for vulnerabilities and find pathways to steal sensitive data. The vast majority of DDoS attacks experienced by Corero customers during 2015 were less than 1Gbps, with more than 95% of these attacks being just 30 minutes or less in duration. A traditional scrubbing center approach would miss these attacks entirely, leaving security teams clueless and unprepared in the event of an attack.
This allows hackers to vastly improve their chances of keeping their goals and motives hidden from security teams. For example, if an attacker can fill logging systems with massive amounts of DDoS related events generated from firewalls, IPS, and other security devices, they are able to effectively mask that one event that pertained to the breach in the first place. This obviously causes huge problems in trying to halt a breach and the data exfiltration that comes with it, as well as making attack forensics and the post-breach cleanup all the more difficult.
One of the first publicly reported instances of Dark DDoS being utilized was the Carphone Warehouse attack in August. The mobile-phone reseller found their online systems were getting inundated with junk traffic in the run-up to the discovery of the breach. Similar characteristics were reported in the TalkTalk breach last year and in numerous instances involving US banks.
With the DDoS underway, hackers can use whatever means at their disposal to penetrate a network as security personnel are distracted by the DDoS traffic, whilst the services that run on the network are still up and running and vulnerable to attack.
Needless to say, the job of security professionals is made a great deal more difficult with such a smokescreen acting to block their visibility of the central issue – the breach attempt itself.
The problem of Dark DDoS is only going to worsen as we see an increased automation of DDoS attacks. Corero’s Security Operations Centre is already seeing a significant rise in automated DDoS tools being deployed. These allow attackers to leverage one attack technique, such as a DNS flood, and if unsuccessful, automatically enact a second technique, such as an UDP flood, and continue to leverage different attack techniques automatically until their target’s environment is successfully compromised. These attack tools know when they’re successful and they react in real-time. No human intervention can compete with this – we simply aren’t fast enough.
It is only by deploying an in-line DDoS mitigation solution that is always-on and performs automatic mitigation of DDoS events in real-time that security teams can stay one step ahead of attackers and keep watch over their every move.
By the time a scrubbing center solution has been activated, usually 30 minutes after the attack has been initiated, the damage has already been done. To keep up with the growing problem of automated DDoS attacks, effective solutions need to automatically remove the threats as they occur and provide comprehensive visibility into the nature of the threat as it evolves.