In the early days it began as extortion; a hacker would ask for payment to either not commence a potential attack, or to stop an already effective attack. Nowadays, some organisations may pay for their competitors to be attacked as a few hours offline could be worth millions. We are also seeing DDoS being used as a method of political activism by groups such as ‘Anonymous’, as well as the potential for a government to use DDoS to disrupt another country’s infrastructure.
Previously, the largest ever DDoS attack (using DNS amplification) hit the anti-spam company, Spamhaus. This attack reached 300Gbps, taking Spamhaus offline and also affecting their DDoS mitigation firm, CloudFare. With the volume of traffic that was going through peering exchanges and transit providers, the attack slowed down internet traffic worldwide.
However, in the last couple of months these amplification attacks have moved on to the Network Time Protocol (NTP) with a new ‘record’ having been set with a reported 400Gbps attack launched against CloudFare. This new attack takes advantage of an exploit available in older, unpatched NTP systems. These systems are usually used for time synchronisation and utilise the UDP protocol on port 123. Like DNS, they will respond to commands issued by any client to query certain information, unless they are properly secured.
The amplification element is the most concerning though. Depending on the NTP server’s configuration, the response to a request could potentially be 206-times larger than the original request. As such, 1Gbps of attack traffic could become over 200Gbps – from only one host. These attack styles are not new, but their historically infrequent usage and the potential for mass disruption means they warrant more immediate attention.
So how can we protect ourselves? Primarily, you need protection from outside of your network; you need an ISP with a significant level of mitigation infrastructure, expertise and experience; they are your insurance policy. In addition, internal systems administrators need to ensure their systems are reviewed regularly for patches and known vulnerabilities. If systems are left unpatched then at best you can be used as a vector to attack another network or organisation, but at worst those vulnerabilities could be exploited to take your systems offline.
Meanwhile, as we gear ourselves up to ensure the necessary levels of protection are in place for our businesses, global law enforcement agencies are also paying closer attention. More resources are being deployed on every continent to enable effective identification, the right level of evidence gathering and a cohesive strategy against increasingly aggressive ‘cyber’ warfare. These are interesting, yet worrying times.