DDoS: 'The New Normal'

New Research from Prolexic Finds More Sectors Targeted

Distributed-denial-of-service attacks are the perfect weapons for cybercriminals and political adversaries. And Prolexic CEO Scott Hammack says any organization with an online presence should brace itself for attacks.

"As the world becomes more chaotic - which I do believe it will be - there will be more and more disenfranchised countries or people," Hammack says during an interview with Information Security Media Group [transcript below]. "This is a perfect weapon," he says.

And as the attacks get more sophisticated, defending against them gets more challenging, Hammack says. Today's attacks are increasingly using standard Internet security mechanisms, such as secure sockets layer protocol, to defeat online-outage defenses, he says.

"They're launching massive amounts of SSL traffic, and that's encrypted traffic that then flows through your service providers," Hammack says.

"So you have to come up with other clever techniques for blocking that traffic. The attackers are definitely making our job more difficult. It's up to us to try to come up with proper defenses to keep [organizations] safe."

Prolexic recently issued its latest quarterly DDoS report, noting that global DDoS attacks are increasing across numerous sectors and that attackers are compromising web servers, enabling them to push attacks of increasing volume that can be redirected nearly instantaneously.

"The message here is that if you're a global 2000 company or you're a company that has heavy dependence on doing business via the Internet, you definitely have to have something in place, or you put yourself at risk of being down for days, and that can be quite a disaster," Hammack says.

During this interview, Hammack discusses:

  • How organizations and DDoS-mitigation providers are altering their strategies to mitigate online outages;
  • How attackers have exploited Internet security precautions, to their advantage;
  • Why every organization with an online presence is a potential target.

Hammack joined Prolexic in 2011. He most recently served as CEO of e-dmz, which was acquired by Quest Software in 2011, and was CEO of Cyberguard Corp., which was acquired by Secure Computing in 2004. Before Cyberguard, Hammack was the CEO of MasterChart Inc., which was purchased by Allscripts in 2001.

Impacted Industries

TRACY KITTEN: Are you seeing increased DDoS activity beyond banking?

SCOTT HAMMACK: We historically have started out in online gaming, which was attacked very aggressively more than a decade ago. As we have evolved over time, the threat landscape has changed as well. Nowadays, a lot of this has been focused on the financial institutions and, quite recently, probably over the last six to nine months, we have seen massive attacks launched against financial institutions primarily in the United States, but definitely some in Europe as well. There has been a lot of activity in the Netherlands. Financials have definitely been the target in the last probably six to nine months.

KITTEN: The data that's collected by Prolexic, how is it put together and collected?

HAMMACK: We see quite a few attacks. The attacks come on to our network through our scrubbing centers around the world. We're constantly monitoring, and we issue individual attack reports as we see different customers getting attacked. Then those are archived. They go into a format that we can query quite easily and then come up with these reports. It definitely is showing a trend that's kind of alarming in terms of the size and complexity of these attacks. ... We've seen 160-gigabyte-per-second attacks and 144 million packets per second. The amount of data and the complexity of these attacks is enough to overwhelm almost anybody's infrastructure.

KITTEN: U.S. banking institutions have been battling DDoS attacks since September of last year. But are there other industries that are seeing some increased activity as well?

HAMMACK: Recently, the energy sector is starting to get targeted. There have been a few high-profile attacks. Maybe the first started about a year ago, but since then, a couple of energy companies, not just in the U.S., but worldwide, have been targeted and they're Internet-facing assets have been taken offline. That obviously is very disruptive.

DDoS Attacks Impacting Banks

KITTEN: Prolexic notes that the DDoS attacks that it tracked in March and April were among the largest the online industry has ever seen. Would you say that these attacks are linked to the same botnet that has been attacking U.S. banking institutions?

HAMMACK: That's difficult to pinpoint precisely. We do believe there are probably several organizations involved and several different botnets. The attackers are very brazen. They're using high-end servers most recently capable of launching attacks with very high traffic with a lot of packets per second. This headline number of 160 gigs is a big number. But what's more alarming is a number like 144 million packets per second, because that's just a very, very outsized number that's capable of taking down the Internet infrastructure, really paralyzing high-end routers. There are very, very few pieces of gear that can even begin to handle those types of volume.

KITTEN: When you say that the packets-per-second attacks are the most alarming, is this because of the increase in the length of the attacks?

HAMMACK: The attack lengths are an issue because they strain the infrastructure for longer periods of time, so that can't be downplayed. But the sheer volume of packets per second is something that's very, very difficult to deal with effectively. You really [need] dedicated infrastructure like the one that we have designed and built out over the last decade to be able to handle something of that size.

Sophisticated Attacks Increasing

KITTEN: What do these increases tell us?

HAMMACK: The volume really does correspond to the fact that these are compromised Web servers that are being utilized in these attacks, and these web servers, by design, are built to be able to manage high volumes of data. There have been several known vulnerabilities on these servers that have been exploited, and the result is you've got tens of thousands of infected servers that are capable of launching massive amounts of attacks at these different enterprises.

Just recently we heard about bots being used to systematically go around and do brute-force attacks on these WordPress servers. That gets scary because now you're talking about [whether] these guys actually are trying to get root access and, once they get root access to a large number of servers, what other types of attack vectors can they launch? Obviously, spoofed attacks would be a concern at those volumes. There are quite a few other things that can be done.

Size of Attacks

KITTEN: The average bandwidth used during these attacks jumped from six gigabytes at the end of last year to about 48 gigabytes in March, a 718 percent increase. How significant is that increase?

HAMMACK: Those are very large numbers. There are very few companies in the world that can handle those types of volumes, and it's not just the volumes. There are a lot of complexities associated with defending against these attacks, especially when the attacks are SSL-based, which means that they're encrypted, or if they're regular Layer 7 attacks, which requires the company defending the attack to be able to go in there and actually discern what valid traffic is and what invalid traffic is.

KITTEN: Prolexic notes that in early 2012, a new type of DDoS attack emerged, one that had considerable botnet resources and an intimate understanding of how the Internet routing topology works. But that was before we even saw some of these first attacks that were waged against U.S. banks, or at least so we thought. Does some of this suggest that these new attacks were actually striking banking institutions and, perhaps, other organizations earlier than we thought or earlier than reported?

HAMMACK: We saw a scattering of attacks, most notably a 65/70 gig attack in January of 2012, which was probably from the same source. ... We've seen isolated incidents. I think what's disturbing is the frequency with which these are starting to hit and then obviously the escalating complexity in bandwidth.

KITTEN: Do you believe the same botnet was used in some of these earlier attacks?

HAMMACK: It's impossible to prove, but I think we can draw that conclusion from the data we've gathered.

Evolution of DDoS Attacks

KITTEN: Can you tell us, when we look back to early 2012, what exactly has changed, from a tactical perspective?

HAMMACK: Historically, the way these attacks were launched was using sort of a "pull" technique where you'd have 40,000 bots out there, a lot of compromised home PCs, lower-end PCs, and those bots would essentially dial home from instructions on a certain defined frequency. They call in and say, "What do you want me to attack," come back with a message, and then start launching an attack.

What we've seen with these latest attacks is more of a "push" technology, where the attackers are brazen enough - probably hiding behind secure borders - to actually launch instructions directly to those servers, telling those servers essentially, in real time, to go attack. What this allows them to do is not only voluminous attacks, but they can change the vectors within minutes across thousand of servers and they can start and stop on a dime.

We'll watch one financial institution get hit with a 60-, 70- or 80-gig attack and then, within three or four minutes, the attack completely stops and fires up against another bank within a couple of minutes. Or, within four or five minutes, the signature that we've used to stop a particular type of attack against an IP address will change dynamically. That requires a lot of skill and expertise to be able to defend against something like that; that's changing so quickly.

Attack Origins

KITTEN: How reliable is some of the attack tracking, when we know that ISP addresses can be spoofed?

HAMMACK: The data is actually validated through TCP connections. Those are valid IP addresses. Any spoofed traffic we don't include in those country-of-origin reports. That's pretty much valid. Although we do constantly see China at the top of the list, you do see attacking traffic from all over the world. If you're a U.S. financial institution, obviously black-holing the U.S. is going to be difficult. A large portion of the botnet is based in the United States, as well as Europe, which basically those two entities are pretty well linked and it's difficult to try to segregate traffic on a geolocation basis.

Mitigation Initiatives

KITTEN: Are there initiatives in place to address some of these tracking concerns?

HAMMACK: The authorities - the FBI being the primary one in the United States - globally, are very, very active in taking down these infected servers as they hear about them. But this is a problem that has been going on for decades. And as long as there are computers out there, there are new programs being built, there are mobile devices, you're always going to have a portion of the Internet that's "compromised." It's something you have got to deal with, you've got to learn to live with, and like anything else you have to learn to defend against.

Comparing DDoS Attacks

KITTEN: Layer 3 and Layer 4 infrastructure attacks have been the favored type of attack, and they've accounted for nearly 77 percent of all the attacks that were recorded by Prolexic during the first quarter of this year. How do they compare to the Layer 7 application attacks?

HAMMACK: The Layer 3 and Layer 4 attacks are troubling and they tend to be the very, very high volume. They bring into account the volume component of this, and then the Layer 7 attacks tend to look like valid traffic. You actually have to get inside those transactions and figure out which ones are good, which ones are bad, and block just the bad ones. ... I liken it to kind of cutting the fat away from the muscle. ...

What's even more difficult is when, most recently, they're launching massive amounts of SSL traffic, and that's encrypted traffic that then flows through your service providers. It's very difficult to look inside that traffic because a lot of these financial institutions, especially with the larger ones, won't give you the keys to look in those packets. You have to come up with other clever techniques for blocking that traffic. The attackers are definitely making our job more difficult. It's up to us to try to come up with proper defenses to keep your customers safe from these guys.

Global Perspectives

KITTEN: Are there other parts of the world or other organizations that are being heavily targeted, beyond U.S. banking?

HAMMACK: We've had a few high-profile energy incidents in the U.S. and then one pretty major one in Europe within the last year. The message here is that if you're a global 2000 company or you're a company that has heavy dependence on doing business via the Internet, you definitely have to have something in place, or you put yourself at risk of being down for days, and that can be quite a disaster.

KITTEN: From the U.S. banking perspective, what do you think is next?

HAMMACK: As the world becomes more chaotic - which I do believe it will be - there will be more and more disenfranchised countries or people. This is a perfect weapon - if I can use that term - that they can utilize in somewhat of stealth fashion to lash out at people that are their enemies or their perceived enemies.





Around the Network