What’s new in the threat of DDoS attacks?
This year there are a new kind of tactics, and I think we’ll see a rise in the new kinds of DDoS. The conventional understanding of DDos is one that involves volume and capacity. You’ll see massive waves of attackers coming at you. But what we’re starting to see is that while that’s still in play, there’s a much more sophisticated kind of attack starting to become more common – and that’s application layer attacks. You don’t need as much volume, and it’s very very hard to detect.
DDoS attackers are now expending quite a lot of effort to spoof legitimate sessions. They’ll do a fair amount of reconnaissance on their target, identify where the weakness or vulnerabilities are – say, a login page. And they know that if they run 20, or 50 or maybe 100 concurrent sessions that login, it’ll lock up the backend database, rendering the site down.
Ultimately that’s what the DDoS attacker wants to do. It’s a very crude intention, and in this way it’s relatively easy to do with a small amount of bandwidth. This method is much more sophisticated, it takes a lot more expertise, but you know how it is: once it becomes commonplace, it’ll be easy to access these tools and botnets, and these kinds of attacks will proliferate.
Right now in the mitigation industry, a lot of companies are offering platforms that can deal with the traditional interpretation of DDoS, but I think the industry’s going to be challenged quite a bit to deal with the more sophisticated and more targeted kind of attacks.
Why are some sites more vulnerable than others?
Ultimately every website is designed differently. If you talk to designers, you’ll find each of your guys has their own style, which can lead to a number of vulnerabilities, depending on the code, and how the php code has been implemented in the background.
If you look at some of the website designs, they start off with the baseline config, they build up over time and don’t change the baseline coding. Then all of a sudden it’s like a Jenga tower. You hit the one holding up the bottom, and it’s all going to fall over.
For instance one of the most common problems is when the way you entire data into the database isn’t sanitised well enough, you can throw in a whole series of commands that literally lock up the database. It’s a much smarter way of doing this, and it’s much harder to track.
So how are security companies going to deal with that?
The strategy right now is less preventing an attack, and more: how quickly can you respond? You need to analyse, parse, and create a quick, customised ruleset that’s very granular and can be applied to specific parts of the website – an element, or a UI for instance.
Are they managing to keep ahead of the threat?
Well this is the problem: in any security initiative, be it DDoS, or the guys doing data theft, they have the upper hand. All they need is the one strike, and boom – the rest of the industry has to catch up. I think as a whole, the security industry is pretty good at catching up. But we’ll always be reacting.
It’s easy to get into. DDoS is still the easiest way to cause havoc and attack an organisation. You can go and rent a botnet for a hundred bucks an hour or even less, now, and just fill a pipe as a crude way of trying to take a site down.
It’s still effective, based on where the solution is hosted. It’s far easier than learning the skills necessary to pull off a data theft or something like that.