DDoS becoming more 'sophisticated', damaging

Hackers using improved attack techniques with distributed denial-of-service, while new technologies spurred its propagation and damage level, industry watchers point out.

Distributed denial-of-service (DDoS) have matured with hackers blending different attack techniques and becoming more damaging, observers note. They add that defenses need to evolve to complement infrastructure security that has already been commoditized."

DDoS attacks, where multiple compromised systems usually infected with a Trojan virus, are used to target a single system have been getting more "sophisticated" over the years, Vic Mankotia, security vice president of CA Technologies Asia-Pacific and Japan, noted. Today, there are DDoS attacks coming from automated systems, payloads delivered from USB sticks and protocols such as Bluetooth and magnetic strips of cards, he observed.

In the past, DDoS attacks primarily targeted networks using low-level protocol or volumetric attacks, Eric Chan, regional technical director of Fortinet Southeast Asia and Hong Kong, remarked. However, hackers today use a combination of volumetric and application-layer attacking techniques, he noted.

An application-layer DDoS targets the application service by using legitimate requests to overload the server, and rather than flood a network with traffic or session, they target specific applications and slowly exhaust resources at the application layer, Chan explained. They can be very "effective" at low traffic rates, which makes them harder to detect, he added.

The Sony Playstation breach for example, had been a result of application-layer DDoS attacks, able to camouflage a data breach of over 77 million customer records, he cited.

"Denial-of-service (DOS) 20 years ago was taking a pair of wire cutters outside the organization and snipping those wires. It has evolved to become distributed--hundreds and thousands traffic turning computers made into botnets to shut down systems."
-- Andrew Valentine,
managing principal of investigative response, Verizon

Evolved with IT trends, hackers intent
On a basic level, denial-of-service (DoS) has evolved from "taking a pair of wire cutters outside the organization and snipping those wires" 20 years ago, to becoming distributed DoS where "hundreds and thousands of" traffic making computers into botnets to shut down systems, Andrew Valentine, managing principal of investigative response at Verizon observed.

Strong connectivity, data centers and cloud, have given mobility center-stage, paved way for the Bring Your Own Device (BYOD) trend making the security parameters "disappear", Mankotia explained. While mobile devices may not store the target information, but they do allow the DDoS attackers access to the information they seek, he noted.

Laptops and devices also have a lot more computing power compared to those in the past, Claudio Scarabello, global security product manager of Verizon added. As such, hardware have a lot more power to flood systems, and can be much more "damaging", he warned.

Another way it has evolved is through the intent, Valentine added. In the past, DDoS had stemmed from "bragging rights"--showing off one's ability to hack into the server, as well as financial intents, he explained.

Today, it is used for political intents, commonly known as hacktivism, and DDoS and data breaches have become "synonymous", he added, citing the Verizon 2012 data breach investigation report which found a rise in hacktivism against large organizations.

"As such, DDoS today is associated with political intent, and making a statement, and not about script kiddies showing off anymore," he said.

Security system with visibility, multi-layered defense needed
What is needed is a different type of security to complement the infrastructure security that has already been commoditized--a security system which enables the knowledge of where and who is sharing the data, Mankotia pointed out.

DDoS attacks are heavily customized with a signature to get specific information, and security has to evolve as all information is not equal, and all identities, access and system must be in one ecosystem, where content-aware identity and access management are applied and advanced authentication is at its core, he explained.

As botnets can send huge amounts of legitimate connections and requests from each compromised machine, and determining whether such connections are valid or not will be crucial, enterprises will need security solutions with "sufficient visibility and context", Chan added.

"These systems should have sufficient visibility and context to detect a wide range of attack types without slowing the flow, and processing of legitimate traffic, and is then able to conduct mitigation in the most effective manner," he said.

Above of, a multi-layer defense strategy is also essential, and the defense strategy must cover both network-layer and application-layer attacks, Chan surmised.