In many companies, IT professionals are confident that their equipment and backup systems are capable of coping, even with a peak load on their corporate online services. However, a DDoS attack can disrupt the operation of even the most powerful server.
It can produce flows of incorrect requests, responses from third-party servers to requests that nobody sent, interrupted client sessions and other unwanted information. With all of this activity it’s not only the server that could be vulnerable.
When it comes to a DDoS attack, IT specialists usually spend their time and resources on combatting it – and this could be a fatal mistake. Before throwing all forces into resolving an attack-related problem, it is vital to understand whether it’s just a DDoS attack, or more worryingly a smokescreen concealing something else.
Usually a DDoS attack is intended to make an online resource, an online service or the entire IT infrastructure unavailable to users. Commercial companies and online government resources can be victims of these attacks, which might come from rival companies looking to snatch a market advantage and compromise a competitor in the eyes of users. They may also be commissioned by blackmailers to extort money, or by hacktivists attempting to punish an organisation for political or personal reasons.
Unfortunately, today it’s relatively cheap to commission a DDoS attack. A variety of methods and a large number of vulnerable servers enable cybercriminals to organise powerful but inexpensive attacks.
After a little online research anyone can order an attack on a web-based resource for just $50, and thanks to the use of cryptocurrency, customers can be sure that financial records will not identify them.
Criminals are attracted by the ease and anonymity, including those who are planning a targeted attack against a particular company. DDoS can therefore be used as a convenient screen and a means of distracting IT specialists.
So what will happen in an average company when its online resources are under attack? First of all, the IT staff and the information security services (if there are any in the company) will try to figure out how to stop the attack and make the attacked resources available again.
Secondly, they will to minimise the damage in every way. At this point, the technical support service will already be snowed under with urgent requests. Frustrated customers will be calling the company to try and understand what is going on.
The overwhelming number of incoming requests to technical support, from customers and staff alike, only diverts attention to customer service and managing the brand reputation. Whilst this is happening, attackers are able to stealthily bypass the protection system, unnoticed.
This type of attack is called DDoS smokescreening and can be used for different purposes. Often the "smoke screen" attack is launched to hide the traces of a large fraudulent money transfer. With the company’s IT specialists distracted, attackers can place their malware directly into the local network.
In some cases a DDoS attack has been used as a screen for simple theft. For example, on one occasion criminals attacked a bank and then quietly stole almost one million dollars from the account of one of the bank’s clients.
Sometimes, the traces of their activity will not be detected until much later (if ever), meaning hackers cannot be unequivocally associated with the DDoS attack.
At the same time, this kind of attack on a company – including those organised under a DDoS screen – leads to very serious consequences. According to a study conducted by Kaspersky Lab and B2B International, a targeted attack on a company can result in the loss of $84,000 on average for small and medium businesses, and up to $2.5 billion for large corporations. A huge price to pay.
To prevent a DDoS attack and help to save the potential loss of money and reputation, organisations are advised to take preventative protection measures. The options include a hardware security solution forming part of the company's IT infrastructure, traffic cleaning services from a service provider, or a third-party that can filter traffic through special filtering servers.
Although the hardware option has long been obsolete as it cannot protect against attacks that aim to overload information channels rather than client servers, a hybrid method is the most-effective protection combining several technologies.
With this hybrid protection method, the crisis prompted by a DDoS attack will develop very differently. The attack itself will not be detected by the IT department – or worse, the customers – but by a sensor that monitors statistical changes in data flows.
After registering a suspicious abnormality, this sensor will send a request to switch the traffic flow to a pre-agreed alternative route going through ‘cleaning centres’.
This means the company’s IT security specialists will not need to divert their attention to flows of unsolicited traffic, but can instead focus on tracking the suspicious network activity that heralds a hacker attack – in other words, they can concentrate on doing their job.
Sourced from David Emm, principal security researcher at Kaspersky Lab