Is your organization in denial about the Denial of Service threat?

In some circles today, there is a misconception about the type of attack known as denial of service or DoS. Denial of service attacks aren’t quite as exotic or high profile as some of the other types that command headlines today: malware/ransomware that holds data hostage, phishing/spear phishing/pharming and their variants, remote code execution (RCE) exploits and backdoors by which attackers can take full control of a targeted computer, or even old standbys such as SQL injections and cross-site scripting (XSS).

A denial of service generally only temporarily prevents you from using the network, system and/or applications or from accessing your data. Thus some see it as less serious than attacks that allow the attacker to make changes or that encrypt or delete your critical data so that it’s lost to you forever. In fact, you might find that in many cases, software companies rate their patches for DoS vulnerabilities as “important” while those for RCE vulnerabilities are more frequently rated “critical.”

It’s true that DoS attacks traditionally haven’t resulted in a data breach – theft or exposure of your information – but that doesn’t mean you shouldn’t be concerned.

Understanding DoS and DDoS

Denial of service refers to an attempt to make computing resources – services, accounts, data, or entire computers – inaccessible to their legitimate users. As I write this, Microsoft is just recovering from a global outage of its Skype service that was caused by a DDoS attack attributed to a hacker group called CyberTeam. Canadian brokerage Questrade has been having web server issues due to DDoS, as well. Businesses aren’t the only ones who can get hit with DDoS. Even gamers aren’t immune. Another report today notes that the Final Fantasy servers are being hammered by DDoS.

The DoS has been around for a long time; some sources credit a high school student named David Dennis with creating the first such attack way back in 1974 – forty-three years ago. A DoS attack can take down a system or a whole network, usually by flooding it with more traffic than it can handle.

The first DoS methods involved sending the excessive number of packets from a single source, but blocking that source could stop the attack. Hence the DoS has morphed into a more sophisticated version, the distributed denial of service (DDoS) attack wherein the traffic originates from many different sources (with different IP addresses), making it difficult or impossible to easily block. These sources are most often “zombie” computers that have been infested with malware making them part of a botnet controlled by the attacker – often without the knowledge of the zombie systems’ users.

DoS has been used by attackers across the spectrum, from so-called script kiddies – youngsters bent on creating digital mischief – to disgruntled employees/ex-employees seeking vengeance on companies, “hacktivists” targeting their political enemies, organized cybercriminals and “cyber mercenaries” who are hired guns perpetuating attacks on behalf of some other individual or organization, for money. Regardless of the source, a DoS/DDoS attack can wreak havoc on the victims.

A report from Verisign that was recently released for 2017 Q1 indicates that DDoS attacks are getting bigger, with a 26 percent increase over the previous quarter in the size of the attack (the amount of traffic sent to flood the network).

Consequences of denial of service

There’s an old saying that “everything is relative” and it’s true that the impact of a DoS/DDoS attack might be less catastrophic than that of ransomware or RCE exploits. Nonetheless, the consequences of denial of service, especially when it’s prolonged, can be very serious. A report from Neustar issued in May estimated that the average cost of a DDoS attack is more than $2.5 million.

For many computer-dependent organizations, when the network is down, you’re effectively out of business for the duration. Your company may not be able to process sales, communicate with vendors, pay bills, correspond with partners, etc. Customers and potential customers may not be able to reach you with questions or problems.

This results in lost revenue from the sales that “might have been” during the down time, but that’s not all. A DoS/DDoS attack can have a negative impact on your company’s reputation, as well. The public may see your business as unreliable if its online presence is unavailable when they need it, and the fact that your network fell prey to an attack may make customers uneasy about whether personal information that they’ve given you is safe.

Remember, too, that there is more than one way to be victimized by a DoS attacker.  Even if your network isn’t taken down by an attack, the computers on your network could be infected and become part of the botnet, to do the bidding of the botmaster by sending out the floods of packets that aim to disable some other network.

And that isn’t the worst of it. Botnet malware is able to download executable code to the infected computers and run it on them. The Neustar report mentioned above found that 42% of DDoS attacks were accompanied by malware, with the denial of service often used to divert attention from other, more invasive attacks.

Earlier this month, a DHS/FBI report was issued that warns of DDoS botnet malware called DeltaCharlie, which is being used by hackers who purportedly work for the North Korean government.

Hidden Cobra

This group (known by the names Hidden Cobra, Lazarus Group and Guardians of Peace), is not just launching DDoS attacks, but is also using the botnet software to distribute remote access tools (RATs), keyloggers and wiper malware – all of which do put data at risk of exposure and deletion. They like to exploit vulnerabilities in such software as Adobe’s Flash Player and Microsoft’s Silverlight.

Although the software makers release patches to fix these vulnerabilities, older versions of Windows such as XP and Vista are out of support and don’t normally receive security updates (although Microsoft has recently released patches for unsupported operating systems when critical flaws were being exploited. The out-of-band update for the vulnerability exploited by the WannaCry ransomware is an example).

Hidden Cobra isn’t targeting mom and pop businesses or grandmas with computers; it’s going after large institutions, including financial institutions, critical infrastructure networks, the aerospace industry and the like. This is part of a much larger problem, in that state-sponsored attacks are increasing both in number and sophistication, with Russia and China emerging as top players.

While state-backed attackers use a large variety of techniques and tactics, DDoS is an important tool in their arsenal.

DoS/DDoS prevention and protection strategies

Protecting your network from DDoS attacks – both as a flood victim and as an unwitting participant in the botnet – requires the same sort of multi-layered defense plan as other targeted network security strategies. Some of the measures are obvious and basic (albeit frequently ignored).

Because DoS/DDoS attacks utilize vulnerabilities in software applications, services, protocols and operating systems, the number one preventative measure is to keep all systems connected your network up to date with the latest security patches. That might seem easy, but for a multitude of reasons, there are many organizations running unpatched systems on their networks, either knowingly or not. This is where a solution such as GFI LanGuard (network security scanner and patch management) or GFI OneGuard (a centralized IT network management software with business antivirus) can come in handy as these tools help you scan your networks for any unpatched software and will also deploy the patch upon instruction.

Even if you faithfully apply all of the updates released by Microsoft, Adobe, Apple, Google, Oracle, Mozilla, and other popular software makers as soon as they’re released, there is a big “gotcha” lurking out there: the Internet of Things (IoT). Organizations are increasingly connecting a wide variety of devices to the network, “things” that aren’t traditional computers – surveillance cameras, smart printers and TVs, AI devices, thermostats, door locks, lighting controls, and of course many industry-specific Internet-connected devices such as medical equipment.

The hard truth is that many IoT devices are not secure. They run old versions of operating systems and some vendors issue patches infrequently or not at all. Experts predict that 2017 will see the first large-scale IoT security breaches in the enterprise. It is imperative that you include all connected devices in your security assessment and planning and take steps to mitigate the IoT threats.

In addition to keeping all software properly patched, DoS/DDoS prevention involves identifying and blocking malicious traffic at the gateway with the latest high-capacity sophisticated firewalls and dedicated pre-filtering threat intelligence gateway devices.

Finally, you should never assume that all your best efforts will always work. You need to plan for how to respond if and when a denial of service does hit your network. Simulate an attack and evaluate how your network stands up to the traffic volume of DoS/DDoS. Consider load balancing to mitigate some of the effects but know this likely won’t withstand a heavy DDoS attack. Formulate a DoS/DDoS recovery process as part of your business continuity plan. Follow best practices to mitigate the damage.

If your organization is the victim of such an attack, remember that it may be a smokescreen to cover an attempted data breach and look for other suspicious activity that occurs in conjunction with the DoS.

Summary

Denial of service might seem, on the surface, a less serious concern than other types of attacks, but the down time caused by a flood of traffic is only the tip of the iceberg. IT professionals need to be aware of the true impact of DoS/DDoS and as the incidence of such attacks rises, prepare for the eventuality.