Cyber Kung Fu Master Class: DDoS, With Help AG
Businesses and individuals must feel overwhelmed at times by the alarming escalation in cyber-attacks. From denial of service assaults to insidious phishing ambushes, the Internet has descended from an uber-library into a series of foreboding dark alleys where you can easily lose your wallet… or your teeth.
But never fear. We at ITP.net invite you to our digital dojo to learn a bit of self-defence. Each month you will take to the mats, where our guest Master will dissect a specific attack and show you the techniques to effectively neutralise it.
In essence, we will teach you the noble art of Cyber Kung Fu (gong!).
After we are through you can stroll the cyber-streets with confidence, because you will know… Kung Fu (gong!).
Meet our Cyber Kung Fu Master: Nicolai Solling, director of technology services, Help AG
Solling joined Help AG Middle East in 2008 as director of technology services. In his role, he is responsible for overseeing Help AG’s Middle East professional services, support services and technical vendor management.
Since joining the company, Nicolai has grown the technical team by more than 200% and has been heavily involved in the design, deployment and operation of some of the most challenging network and security infrastructures across Enterprise customers in various industry sectors.
He has been in the IT and network industry for over 16 years. In 2000, he was selected as one of 400 graduates out of more than 10,000 applicants for the Internal Cisco Systems Graduate Programme, where he received extensive training by industry experts in the field of Networking and IT infrastructure. Upon completion of the programme, he went on to work for Cisco for the Cisco System Advanced Services as the PS Project Engineer focusing on ISPs.
The attack: DDoS
As Master Solling explains, the distributed denial of service punch can come in two forms, each of which requires a different amount of computing power to be effective. The first is the more famous, but relatively rare network-level or volumetric assault, where resources are exhausted by relentless network traffic from multiple (distributed) outside devices, typically compromised PCs that have become part of a botnet.
The second, and more common type of DDoS, is what is known as an application-level attack, where a specific application is targeted and taken offline. Because this does not require as much traffic-volume to be effective, it is easier for attackers to execute.
“If this application is central for other services, the impact is increased,” says Solling. “An example could be an attack against a DNS service, where impacting this service will affect the ability to do Web browsing or place telephone calls.”
So DDoS can pack a powerful punch, mainly because the knowledge and skills required to attack services already exist, pre-bundled, in readily available tools.
“Today, the tools and services are Web-based, capacity is ample and they are dirt-cheap,” cautions Solling. “Examples show some of the most popular services costs as little as $12.99 per month for 1200-second attack bursts. The services are also getting smarter, so that targets may not be a website, but could also follow users around, such that when a targeted user is moving from one site to another, the DDOS attack moves with them.”
The toolmakers are sneaky, sometimes disguising their weapons as legitimate stress-testing services, available through a simple Google search.
Damage to businesses can vary, depending not only on the type of DDoS employed (volumetric or application-level), but on the shape of the ICT architecture within the target organisation.
Solling says: “DDoS attacks are typically generated from the Internet, which is why services connected to, or relying on, the Internet are more vulnerable. If an organisation utilises virtual private networks over a public infrastructure such as the Internet, a seemingly simple DDoS may also impact internal capability to communicate between branches. Understanding the threat picture and robustness against DDoS is key for any organisation and I personally think that many would be surprised how easily they can be taken out.”
From the attacker’s perspective, a DDoS attack is simple, light on resources and potentially devastating to the target, affecting business-critical functions, from the ability to browse the Internet to taking down a website. Solling urges companies to be aware of the ease by which they can be targeted, and the potential costs to productivity, especially with regard to cloud services. Depending on how reliant a company is on the cloud, an attacker could grind its business to a halt with a simple application-level attack that disrupts Web access. This is, of course, especially true for e-commerce businesses.
“I only have to look at my own private sphere where the idea of going to the bank to do a payment is completely remote to me, as I have been doing this at my computer for years,” says Solling. “DDoS is a huge distraction for any IT organisation, and therefore attacks are very often used to conceal other more severe attacks. The sheer volume of logs in a DDoS attack may, for instance, mean that IT security operations miss out on identifying other events in their infrastructure.”
In other words, failure to defend yourself from that initial, blinding left-jab may set you up for a more devastating right-hook.
“While the attacks are simple, the correction of damages can be a big issue, not to mention the reputational damage both internally and externally in the organisation.”
The defence: Ha! I know Kung Fu!
So you have seen the punch and the damage it can do. Now it is time to learn Kung Fu. Defence against DDoS, Master Solling explains, requires building an infrastructure that allows rogue traffic to be absorbed, and that means having greater capacity than the attackers.
“An example of this could be bandwidth,” Solling advises. “If someone is attacking you with 1Gbps of traffic and you only have a 10Mbps link, you cannot do much to drop the traffic. In fact, in such attacks, your service provider holds the key to fixing the issue by filtering out offending traffic. Again this is typically for the volumetric or network-based attack types, where the attack is just focused on utilising your bandwidth or the session tables of your network and security devices.”
For application-level attacks, an adequate defence lies in the design of an organisation’s physical and application architecture. As Solling reminds us: “DDoS attacks are not sophisticated. They are created with speed in mind and therefore, if you can be more intelligent in your infrastructure than the attacks and are capable of dropping offending traffic at a greater rate than the attack, you will have come a long way.”
No organisation is immune to DDoS. Our Kung Fu Master teaches us to be mindful of our infrastructure. “Sometimes only small changes to how things are done can increase robustness by great levels,” he says.
Some other advice Solling gives on attack mitigation is to perform protocol-level scrubbing, where rogue traffic is rerouted by specialist monitoring tools.
Solling also has advice for when a packet flood is already in progress. He urges sys admins to get as much data on the attack as they can in order to identify “some form of logic in the attack so that you identify what the correct response and mitigation is”. But don’t try this at home kids. Our Master says that once a DDoS attack is underway, dealing with it is a job for a specialist.
So far we have only covered the effects on business when an application-level or volumetric attack is launched, but for high-volume traffic generation, attackers typically need to use botnets to succeed. A botnet is a collection of computers belonging to individuals or organisations that have been previously compromised by malware so they can serve the needs of cyber miscreants. These networks can be composed of hundreds to hundreds of thousands of machines that, like sleeper agents, remain dormant until pressganged into action by their captors.
Machines become infected without their users ever knowing, so we thought these individual users could also do with a little lesson in Kung Fu. However, our Kung Fu Master surprised us by claiming that classic botnets are going out of fashion.
“The delivery method was historically from infected machines participating in botnets, [but] today the commercial DDoS clouds are actually delivered from public cloud services that readily deliver both computing resources and bandwidth for a very limited cost,” Solling says.
But the dreaded botnet has not vanished entirely.
“The Internet community spends billions on account of the nuisance of botnets and any Internet Citizen should therefore avoid becoming part of it,” says Solling. “Good ways to avoid this are to ensure that you always keep your system updated, only install software from trustworthy sources, avoid pirated software packages and avoid opening attachments from unknown sources. As such, preventing yourself from botnets is not [that] different to how you protect yourself against malware, viruses and hacking. Anyone, individual or organisation, should follow these [steps] and the Internet will become a safer place.”
So now you know Kung Fu. Go out into the world in confidence and practice what you have learned. Our thanks to Nicolai Solling.
Bow to the Master.
“Thank you, Sifu.”