Public services continue to fall victim to distributed denial of service (DDoS) attacks with many industry experts, including Corero, predicting that this is going to get worse before it gets better. Our collective pessimism is being fuelled by dire warnings from government agencies that Nation State sponsored cyber-criminals are continuing to focus their efforts on penetrating critical national infrastructure systems, such as energy grids, nuclear facilities, transportation networks and even drinking water supplies. While motivations may not always be completely clear, the potential effect is an impact on security, economic stability, and even public health.
DDoS attacks can disrupt the availability of essential services we use as part of our everyday life. Previous reports have highlighted the dangers of infrastructure attacks, such as last October’s DDoS attacks against Swedish railway systems which disrupted travel. In addition, the WannaCry ransomware attacks in May last year demonstrated the potential volume and strength of cyberattacks on essential services and reduced people’s ability to access these services.
Only last month, a DDoS attack on Danish rail operator, DSB, paralyzed ticketing systems resulting in travel chaos.
The consequences of a successful DDoS attack against an enterprise can be dire – from financial costs to a negative impact on a brand’s reputation. However, when it comes to the systems that underpin our essential services, the impact from a successful attack can be devastating. For example, network downtime can have a serious economic impact as it can affect productivity, cause physical damage and could even endanger public safety.
Critical infrastructure systems at risk
In recent years, DDoS attacks have become more complex, with many combinations of different attack approaches, known as vectors, being used.
Indeed, the ability to take systems offline has never been easier as DDoS attack tools, whilst illegal in many countries, are readily accessible and inexpensive. So-called DDoS stresser or booter services are frequently enabled by large networks, known as botnets, of hijacked Internet of Things (IoT) devices.
Another serious concern is the number of Internet-connected systems and devices that either form part of or are connected to industrial control systems. As organizations become increasingly reliant on the convenience of Internet accessibility, the potential attack surface for damaging cyber-attacks, including DDoS, increases. As a result, organizations need to ensure they have adequate firewalls, access mechanisms and real-time protections in place to eliminate the Internet-borne threats to their control networks.
Critical infrastructure operators in energy, healthcare and transportation cannot leave DDoS attack resilience to chance. Corero’s recent Freedom of Information survey revealed that most UK critical infrastructure organisations (51%) are potentially vulnerable to these attacks. These organizations have failed to invest in technology that can detect and immediately mitigate short-duration DDoS attacks (i.e. those last less than 10 minutes) on their networks. Corero’s DDoS Trends Reports have long shown that these short duration, modestly scaled attacks dominate the threat landscape. Operators of essential services should not be complacent as even these short attacks can significantly impede service delivery.
NIS Regulations and best practices
On 10th May this year the EU NIS Directive became law in all 28 EU member states. The regulations require that operators of essential services “must take appropriate and proportionate technical and organisational measures to manage risks posed to the security of the network and information systems on which their essential service relies”. In the UK, the best practice guidance is stipulated by the National Cyber Security Centre (NCSC). The NIS Regulations arrive with a £17million big “stick fine” for those who fail. Hopefully, operators will see this as a “carrot” to upgrade their cyber-protection to defend against DDoS and other cyber-threats.
Contact us if you’d like to find out how Corero can help you prevent DDoS attacks impacting your ability to deliver service.
A lot has been written and said about the DDoS for hire industry over the past few years, with major media publications recently reporting on the takedown of a popular Booter website. With all the hype surrounding this, the focus tends to be on ease of use of these malicious services, however, it is equally important to keep in perspective the effectiveness of these attacks. It is evident that attack tactics are being continuously improved in an attempt to evade the trusted mitigation methodologies typically being used for DDoS protection today.
Ever evolving threat landscape
Corero’s research and analysis division tracks the developments in attack vectors being used by such booter sites, to ensure our solution’s continued robustness against these services.
A recently observed attack vector involved attackers spoofing Google’s well known 22.214.171.124/19 address space to send a flood of TCP ACK packets to the unsuspecting victim. The idea behind this impersonation attack, is to evade mitigation strategies that take advantage of geographical IP categorization and IP reputation-based policies. As these mitigation techniques rely solely on trusting source IP addresses on face value, the attacker’s tactic is to overwhelm resources and carry out a successful denial of service whilst leveraging Google’s ‘good source’ rating.
This highlights a critical issue with devices which rely on GeoIP and IP Reputation type feeds to filter or scrub attack traffic, especially against such easy impersonation attacks. In today’s IoT driven threat landscape, such source-based protection measures are easily evaded by botnets using IP address spoofing.
Moreover, the broader challenge posed by today’s volumetric DDoS attacks requires more careful traffic analysis and deployment of smarter techniques to ensure effective mitigation.
Fallacy of source IP based mitigation strategies against volumetric DDoS
In today’s IoT derived botnet farms there exists a high risk of collateral damage when relying on source-based bad-bot or IP block lists. The rationale for this can further be described as follows:
As alluded to earlier, Corero observes many attacks where the bad actors have successfully spoofed their attack signatures to make it appear that these originate from reputable sources, in an attempt to throw any defenses off their scent.
The Mirai effect
Corero has observed that many Mirai-based attacks by default use the compromised device’s source IP information, which usually is not present in such reputation-based block lists, especially if the participating ‘bot’ is recently infected.
Update frequency and false positive
It is important to understand that most IP reputation lists are tardy in nature. Even though vendors endeavor to schedule daily updates, the odds of getting false-positives are greatly enhanced when dealing with bots which are behind some form of NAT. This is because multiple ‘good’ hosts typically share their public IP with the ‘bad’ hosts. When the public IP becomes listed as ‘bad’, the good traffic/hosts are also denied the opportunity to access desired services.
Generic Source blocking
Basing a DDoS mitigation strategy on generic lists, results in indiscriminate blocking of the source rather than the detection of actual attack vectors. Whereas, the focus should be on a solution which delivers real-time attack detection and automated mitigation.
A path to effective mitigation
The best defense strategy against volumetric DDoS attacks is always to identify the malicious nature of the traffic itself, rather than just relying on third-party historical or anecdotal reputation of the traffic source.
Corero provides a real-time, automated solution to today’s DDoS challenges, which benefits from a comprehensive analytics platform, to defeat such attacks on the network perimeter. With a focus on blocking the actual attack vectors, as opposed to using techniques which can cause false positives and other collateral damage, Corero ensures businesses remain online in the face of today’s DDoS threat.
For more information, please contact us.