LONDON – TECH – Popular culture portrays killer DDOS attacks as a tool that anarchists and criminal masterminds use to destabilize societies. The reality of a successful killer DDOS attack is both subtler and more targeted. A killer DDOS attack will overwhelm a digital information system with more inbound traffic than the system is able to manage and will cause the system to freeze or shut down for an extended period of time. An organization that fails to protect its information system with a robust cyber defense system might recover from a killer DDOS attack after a few hours or more, only to discover that the attack was just a distraction from the real cyberattack that compromised the organization’s user and other information while its resources and manpower focused on the DDOS problem.
A killer DDOS attack is therefore not always something that shuts down communications networks or power grids, but is instead a tool that probes information system weaknesses and diverts a cybersecurity team’s attention away from the real incursion into that system. The success of this strategy is revealed by the organizations that have experienced a DDOS attack.
- In 2015, hackers launched a killer DDOS attack against the United Kingdom retailer Carphone Warehouse. Those hackers were able to steal personal and banking records of 2.4 million Carphone Warehouse customers while the attack was ongoing.
- The cloud service provider, Linode, fended off multiple DDOS attacks during the 2015 holiday season, and has experienced several repeated attempts to breach its information systems by hackers who initiate the breach attempts with DDOS attacks.
- Sony was caught off guard by a DDOS attack in 2011 when hackers launched the attack as a smokescreen. More than 100 million user accounts were compromised during the attack.
Of the companies that have experienced repeated killer DDOS attacks, Linode’s cyber defenses are most instructive. The company determined that the attacks aimed at its systems were all high-volume calls in which an overwhelming volume of traffic was directed at an IP address. The attackers started their onslaught with a layer 7 or “application layer” attack against the public-facing abstraction layer that the company established in its Open Systems Interconnection (“OSI”) system architecture. The attackers then went deeper into both the company’s and its collocation provider’s infrastructures. In all cases, Linode was able to stop the attack before user information was compromised by blocking traffic to and from IP addresses that it recognized as being involved in the DDOS attack. The company also implemented DDOS mitigation tools, similar to the tools and techniques offered by companies like Shape Security.
In the current environment, a company cannot ignore or discount the possibility that it will be the target of a killer DDOS attack simply because its business and services are not part of any critical infrastructure. Hackers use killer DDOS attacks as part of a three-stage strategy to extract information. In the first stage, an attack might be short-lived and designed only to test cyber defenses and to probe for weaknesses in those defenses. In the second stage, hackers will use a DDOS attack as a distraction to plant malware in a company’s network. In the third stage, hackers will actively extract information from a company’s systems while a cybersecurity team focuses on stemming the DDOS attack.
The first line of defense against killer DDOS attacks is to erect barriers against the first-stage probes. Hackers will be less likely to continue into the second and third stages of a cyberattack if they cannot find a system’s weaknesses. Hackers prefer targets that are easy to breach. An organization that fails to install barriers against killer DDOS attacks will become the next easy victim of an attack.