Just when you thought you could tune out the fears about DDoS (distributed denial of service) attacks, listen up: the risks for you suddenly are much graver, and it may be the time when defensive action on your part has become necessary.
Yes, the fear-mongering over the May 7th DDoS blitzkrieg – which turned out to be a non-event – has prompted many credit union executives to turn off the DDoS discussion. That’s a mistake, however.
“Three years ago I would have called DDoS a nuisance. Now it is a threat to many more businesses,” said Vann Abernethy, an executive with security firm NSFOCUS.
A big change that is occurring, sources insist to Credit Union Times, is that for-rent DDoS networks – often costing spare change – are proliferating and they have plenty of firepower to take down most credit unions’ online presences.
The scariest part: absolutely no technical skills are required to deploy what is being called DDoS as a service. All that’s needed is digital money – PayPal or BitCoin and there even are some providers that take MasterCard and Visa.
Barry Shteiman, senior security strategist at Imperva, named names of sites that he said offer what seems to be DDoS for hire: SSH Booter, Empire Stresser, Quantum Stresser, Asylum Stresser, Titanium Stresser, Illuminati Stresser, Legion Stresser, Agony Stresser.
The list is not complete. “There are dozens of companies selling DDoS as a service now,” said Sean Bodmer, chief researcher, Counter-Exploitation Intelligence, for CounterTack.
Note: Almost all such sites claim to offer, not rogue DDoS for hire, but “stress testing” so that an organization – a credit union for instance – can check its DDoS defenses. Just one problem: sources insisted that the majority of stress-testing sites they are familiar with do no verification that the person buying the “stress test” has any affiliation whatsoever with the target.
What’s fueled the rise in DDoS as a service? For one, the intense publicity for DDoS has just about everybody aware of the attack format.
For two, “As email spam has become more and more a solved problem it has forced criminals with botnets to find other uses for them. DDoS lets them monetize their botnets,” said Matthew Prince, CEO of CloudFlare, a DDoS mitigation company.
DDoS as a service prices are also tumbling. Hemant Jain, vice president of engineering for security company Fortinet, said that he has found providers who are selling an hour of DDoS for $5, a 24-hour day of it for $40 and a week for $260.
Can’t these DDoS as service provider be shut down by law enforcement? It’s not that easy. Commented Carl Herberger, vice president of security solutions at mitigation provider Radware, “It’s important to note that ‘DDos for Hire’ websites move around in terms of their technical underpinning. They don’t stay in one area or one location for too long. It’s almost like a game of “Whack-a-Mole” – just when you think you’ve identified the location of the website, it’s already moved.”
Added Chris Ensey, COO of security company Dunbar Digital Army, “These (DDoS as a service) sites are being resold like white-labeled products now. Most of the sellers are just affiliates who leverage another botnet or platform” – that is, they have none of their own infrastructure and, poof, they can be here today and back tomorrow under a new flag.
That’s the problem: it is very hard to pinpoint the location of a DDoS command and control center and when it’s found, said sources, it generally is in a country with little or no law enforcement reciprocity with the United States.
The bottom line for credit unions: “They have to take DDoS seriously. There is no turning this back,” said Shteiman.
The good news: the attack throughputs via DDoS for hire are tiny fractions of what al Qassam is throwing at money center banks – 1% or 2% of the volume in many cases. But that is plenty to knock out a credit union that lacks defenses.
As for what defenses are needed to thwart for hire DDoS, experts indicated that in most cases low-cost mitigation, within the budget of just about every credit union, ought to suffice.
Talk with mitigation companies, also ask Web hosts what protections they have on hand or can line up, Small expenditures ought to bring peace of mind – at least that’s what the experts are saying today