Where There's Smoke There's A DDoS Attack
By Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Lab
In many companies, IT professionals are confident that their equipment and backup systems are capable of coping, even with a peak load on their corporate online services. However, a DDoS attack can disrupt the operation of even the most powerful server. It can produce flows of incorrect requests, invalid responses from third-party servers interrupted client sessions and other junk information. With all of this activity, it’s not only the server that could be vulnerable. When it comes to a DDoS incident, IT specialists usually spend their time and resources combating the attack—and this could be a fatal mistake. Before throwing all IT resources into resolving an attack-related problem, it is vital to understand whether it’s just a DDoS attack, or in fact a smokescreen concealing something else.
Usually a DDoS attack is intended to render an online resource, an online service or the entire IT infrastructure unavailable to users. Commercial companies and online government resources can be victims of these attacks and they might even come from rival companies looking to snatch a market advantage and compromise a competitor in the eyes of users. They may also be commissioned by blackmailers to extort money, or by hacktivists (hackers that use cybercrime to support political or social campaigns) attempting to “punish” an organization for political or personal reasons.
Today, it’s relatively cheap to commission a DDoS attack. A variety of methods and a large number of vulnerable servers enable cybercriminals to organize powerful and inexpensive DDoS attacks. After a little online research, anyone can order an attack on a web-based resource for just $50. And thanks to the use of cryptocurrencies, customers are assured that financial records will not identify them. Ease and anonymity—that is what attracts criminals, including those who are planning a targeted attack against a particular company. DDoS can therefore be used as a convenient screen and a means of distracting IT specialists.
So, what will happen to an average company when its online resources are under attack? First of all, the IT staff and the information security services (if there are any in the company) will try to figure out how to stop the attack and make the attacked resources available again as quickly as possible. Second, they will look into options to minimize the damage in every way. At this point, the technical support service will already be snowed under with urgent requests. Frustrated customers will be calling the company to try and understand what is going on. Faced with the impossibility of getting the service they need or the inability to make a payment, they are upset, to put it mildly! Some customers will start writing angry emails, which the already overloaded technical support staff will have no time to answer. The absence of a response will make the customers even angrier. They will begin to criticize the company on social networking sites. This cannot go unnoticed, especially by employees responsible for the company’s customer service and brand reputation. These employees will need the technical specialists to provide an answer to the question, "When will this situation be resolved?" While all of this chaos unfolding, it is now much easier for the attackers to bypass the company’s protection system and remain unnoticed.
This attack method is called DDoS Smokescreening and can be used for different purposes. Sometimes the "smokescreen" attack is launched to hide the traces of a large fraudulent money transfer. With the company’s IT specialists distracted, attackers can place their malware directly into the local network or even a company's branch offices, where IT infrastructure is managed from the head office. If the IT security team is focused on a DDoS attack, they may not notice a data leak from a remote office until it’s too late. In some cases, a DDoS attack has been used as a screen for simple theft. For example, on one occasion criminals attacked a bank and then quietly stole almost one million dollars from the account of one of the bank’s clients.
“Today, it's relatively cheap to commission a DDoS attack. A variety of methods and a large number of vulnerable servers enable cybercriminals to organize powerful and inexpensive DDoS attacks”
If the hackers are skillful enough, the traces of their activity will not be detected until much later (if ever), meaning they cannot be unequivocally associated with the DDoS attack. At the same time, this kind of attack on a company— including those organized under a DDoS smokescreen—leads to very serious consequences. According to a study conducted by Kaspersky Lab and B2B International, a targeted attack on a company can result in the loss of $84,000 on average for small and medium businesses, and up to $2.5 billion for large corporations.
To prevent a DDoS attack and deprive the fraudsters of the opportunity to use it as a "red herring," companies are advised to take preventative protection measures. The options include a hardware security solution forming part of the company's IT infrastructure, or traffic cleaning services from a service provider or a third-party that can filter traffic through special filtering servers.
These methods both have advantages and disadvantages. However, the hardware option has long been obsolete as it cannot protect against attacks that aim to overload information channels rather than client servers. Instead, the most effective approach is a hybrid method of protection such as Kaspersky DDoS Protection, which combines several technologies.
In companies that use this hybrid protection method, the crisis prompted by a DDoS attack will develop very differently. The attack itself will not be detected by the IT department— or worse, the customers—but by a sensor that monitors statistical changes in data flows. After registering a suspicious abnormality, this sensor will send a request to switch the traffic flow to a pre-agreed alternative route going through “cleaning centers.” This means the company’s IT security specialists will not need to divert their attention to flows of junk traffic, but can focus on trackingthe suspicious network activity that heralds a hacker attack –in other words, they can concentrate on doing their job.