It's time to end the denial over DDoS. This year, Verisign, an internet security firm, witnessed very high intensity flood attacks peaking at approximately 60 Gbps. Even more worryingly, the largest attack at the end of 2016 broke new ground by being the first attack ever to use a Generic Routing Encapsulation (GRE) protocol - a protocol which allows two peers to share data they wouldn't be able to share over the public network itself.
In the wake of high profile cyber breaches hitting the headlines, many businesses are realising that this has to change – not least because of the General Data Protection Regulation (GDPR).
Taking effect by May 2018, GDPR will radically transform the data protection regulation framework across the EU. Among the changes are a duty to notify authorities of data breaches within 72 hours and fines of up to €20 million or four percent of global revenue (whichever is higher) for infractions.
The UK will not escape, despite Brexit. The UK's own information commissioner, Elizabeth Denham, has pointed out that it is “extremely likely” the UK will still be an EU member when GDPR comes into effect in 2018. Moreover, the provisions apply to any organisation with data on EU individuals, wherever they are based.
What do the new rules have to do with DDoS? On the one hand, very little. GDPR is primarily concerned with breaches of customers' privacy and protection of their personal information. Denial of service attacks strike at the availability of businesses' online services. The principle losses are usually from lost business, rather than notification costs, class actions and regulatory fines.
As the UK's National Crime Agency put it when it suffered a DDoS attack on its website: “DDoS is a blunt form of attack which takes volume and not skill. It isn't a security breach…At worst it is a temporary inconvenience to users of [the] website.”
However, this ignores the fact that DDos attacks target multiple vectors. In fact, recent research from Verisign found that 59 percent of the DDoS attacks in Q3 2016 employed multiple attack types. It is clear, therefore, that attacks are becoming increasingly difficult and complex to stop.
What's more, DDoS attacks are increasingly used as a smokescreen to facilitate attacks that are specifically focused on stealing customer data. In fact, these so called “dark DDoS” attacks were responsible for a significant proportion of the highest profile data breaches reported last year, whether we're considering Carphone Warehouse, Ashley Madison or – given a record fine by the ICO in October – TalkTalk. While businesses' IT teams are focused on trying to stave off the denial of service attack, criminals all too often use the distraction to enter undetected through a backdoor.
A growing issue
The success of dark DDoS attacks to date, as well as the easy availability of the tools to mount them, almost guarantees this is going to be a bigger challenge going forward. Readily available online automated tools give hackers cheap, on-demand ability to direct DDoS attacks where they choose. And, even if a DDoS attack is not specifically carried out to facilitate a data breach, it still makes businesses more vulnerable, tying up resources and attention, and providing a distraction that others can exploit.
Two other aspects also make this an issue that businesses need to look at more closely.
The first is the scale of attacks. If DDoS remains a blunt form of attack, it is increasingly heavy handed. Recent high profile DDoS attacks which took down some of the most popular sites on the web is a sign of where things are going.
Related to this is the increasing role of the Internet of things (IoT). The billions of connected devices it is bringing online make an attractive resource for attackers. Recent attacks have used devices infected with malware called Mirai botnet, which targets IoT systems and can see businesses face attacks from tens of millions of discrete IP addresses. This not only alters the potential scale of DDoS attacks; it also makes it much more difficult to defend against. Businesses cannot simply blacklist a range of IP addresses, as they might had done in the past.
Nevertheless, businesses do need to get solutions in place to defend against attacks, and the first thing they need to look at is the bandwidth of their providers: unless they can put their arms around the problem, they cannot begin to address it. They can then look at what solutions are in place in terms filtering by IP addresses (where possible) and, if necessary, using response rate limiting (RRL) to reduce the speed with which servers respond to queries from potentially infected devices.
There is, of course though, no quick fix, and the growth of the IoT means defending against DDoS attacks will be increasingly challenging. Businesses need not be defenceless, however, and too many at the moment still are. If they want to retain the trust of customers – and stave off the interest of regulators – that will have to change.
Contributed by Mark Flegg, global product director of domains and security, CSC