It was tax time in Australia, 2014, and one Sydney tax agent, like many others across the country, was all-hands-on-deck as staff took endless calls and filled appointment diaries. The frantic pace was welcomed at the young firm, which prided itself on being hip, casual, and cool. The firm’s slick, mobile-friendly website and a good search engine ranking brought a decent rush of new clients to the firm each year.
So when the site went on- and offline over the course of a week, phones stopped ringing and staff panicked. The firm was on the receiving end of a distributed denial-of-service (DDoS) attack from IP addresses out of Eastern Europe that overwhelmed the small business IT infrastructure. An email in the company’s generic inbox demanded that US$1,000 be wired to a Western Union account in order for the attacks to stop.
“We called our tech guys and they tried to block it,” a senior tax accountant told CRN on condition of anonymity. “We called the cops, but no-one could fix it quickly enough so we paid.”
The price was cheap compared to the damage wrought. And fears that the criminals would just ask for more money once the ransom was paid were unfounded; the attacks stopped abruptly and no more was heard from them.
Booters and stressers
When a dam threatens to breach, it helps to have a network of diversion channels where the water can flow away from the towns below. So it is that a wave of DDoS packets can be soaked up by throwing large networks in front of the target.
The floods are becoming more common, but their nature is changing to something more efficient and dangerous than in previous years. Akamai’s latest release of the popular State of the Internet report for the last quarter of 2015 finds a 149 percent increase in total DDoS attacks and a 169 percent increase in infrastructure layer attacks over the same period in 2014.
The “vast majority” of these attacks were from so-called booter or stresser providers, the DDoS-for-hire services that operate with a gossamer-thin veil of legitimacy for customers who pay hourly to monthly rates to point the attacks at their own infrastructure. Of course, many who use the services point the booters at rival businesses, governments and, notably, live-stream gaming video channels operated by rivals.
These attacks have “increased dramatically”, Akamai says, compared to the preceding three months, with use of network timing attacks that power the booters up by 57 percent on the previous quarter. Such attacks abuse the network timing protocol so a small query generates a large response, which is redirected at a target.
“Network Time Protocol amplification attacks have be used in large-scale DDoS attacks peaking shy of 400Gbps, but DNS amplification attacks have also been successfully used to cripple infrastructure and cause serious financial losses,” BitDefender senior threat analyst Adrian Liviu Arsene says. “One of the largest DDoS attack to date was reported to have reached around 500Gbps, although the standard is somewhere around 100Gbps.”
Motive and intent
Distributed denial-of-service is the second most likely digital attack to be familiar to the average pedestrian after viruses. The method of attack hit mainstream headlines some six years ago, when online activist group Anonymous brought down major websites, including Paypal, the Recording Industry Association of America and the sites of Canberra public agencies.
Systematic arrests followed, bursting the bubble of those participants who thought safety in numbers would shield their IP addresses from being singled out by police. It signalled a fall in popularity of DDoS as a means of protest.
The criminal undercurrent remains and here cash is king, but motivations still vary. Businesses use DDoS attacks to knock off rivals and criminals to send sites offline until a ransom is paid. Yet others use the digital flood as a diversion to distract security defenders and set off alarms while they hack into back-end systems.
One group known as DDoS for Bitcoin, or DDoS4BC, is using the proven anonymity of the crypto-currency to extort companies through DDoS. It is a safer model for criminals than that which ripped through the Sydney tax accountancy, and considerably more expensive for victims. It is, as of January, known to have hit more than 150 companies around the world, first sending an extortion note demanding between AU$5,600 and a whopping AU$112,000 in Bitcoins before launching small DDoS attacks to demonstrate the group’s capabilities.
For some victims, the DDoS may be short-lived and devoid of any apparent motive, according to Verizon Enterprise Solutions investigative response managing principal Ashish Thapar.
“We have definitely seen DDoS on the rise and several of our partners are logging double the [usual] number of incidents,” Thapar says. “We are also seeing DDoS attacks bringing companies them to their knees but not entirely offline, which acts as a smokescreen for advanced persistent threat attacks at the back end.”
That’s also something Secure Logic chief executive officer Santosh Devaraj has seen. The company hosts iVote, the electronic voting system for NSW, and last year bagged the $990,000 contract to operate it until 2020.
“There are ‘DDoS for hire’ groups we’ve seen as part of monitoring iVote that may be trying to gain access to infrastructure at the back,” Devaraj says. “The real threat may not be the DDoS.”
DDoS down under
Australian businesses are less targeted than those overseas, experts agree, thanks in part to our smaller internet pipes. But with the NBN rolling out, DDoS Down Under is expected to become big.
The midmarket is likely to be hit harder, BitDefender’s Arsene says. “Midmarket DDoS attacks are likely to rise as the chances of targets actually paying are higher than for other organisations,” he says. “[Criminals] specifically target midmarket companies that don’t have the technical resources to fend off such attacks.”
Akamai chief strategist John Ellis agrees, saying extortionists “tend to hit the sites with a large online presence”.
“For cyber adversaries, the [midmarket] provides a fantastic target,” Ellis adds. “A Sydney developer team that relies heavily in online app availability, for example, may have to seriously consider whether it rolls over and pays DDoS extortionists.”
The attacks in Australia are, for now, fairly small. “We are seeing bigger DDoS attacks, but they’re nowhere near the size of attacks in the US,” says Melbourne IT cloud and mobile solutions general manager Peter Wright. “It is partly because infrastructure and bandwidth limitations reduce the size of DDoS attacks. It is an attribute of infrastructure capacity and there is a risk that, as we broaden the pipes [as part of the National Broadband Network], it brings huge benefits but increases the risk profile as well.”
Big banks are smashed by DDoS attacks every day and largely do not bat an eyelid. Online gambling companies, too, across Australia are blasted during big sporting events. These top end of town players have expensive, tried-and-tested scrubbing mechanisms to largely neuter DDoS attacks, although some betting agencies are known to have regularly paid off attackers during the Melbourne Cup, treating it as a cost of business.
The midmarket is not left to its own devices, however. Hosting providers like Melbourne IT and others offer DDoS protection against applications and services, while other companies have cheaper offerings for the budget market.
“I am sympathetic to the midmarket, their need for bang-for-buck,” Ellis says. “The challenge for the midmarket is that they don’t have the money that they need… they should focus on business outcomes and partners who understand their business and design outcomes.”
For Secure Logic’s Devaraj, DDoS mitigation comes down to a solid cyber security operations centre. “It is where I believe the industry should invest, rather than a particular technology.”
Yet companies can use free or cheap DDoS protection from the likes of CloudFlare, or opt for do-it-yourself options that require hardening of security defences – something the average small technology shop may lack the ability to do.
“There are DDoS sinkholes and capabilities with our cloud partners,” Wright says. “If a resource or function is hit, we can move workloads to other resources dynamically.”
Arsene agrees. “Midmarket tech guys need to start by incorporating DDoS attack risks into their corporate security strategies. Using a secure and managed DNS that supports changing internet protocols on the fly is also recommended, as well as patching software vulnerabilities to mitigate application layer attacks.”