Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
This post looks at DDoS meaning, history and attacks. It includes some DDoS prevention tips to consider in your ISMS. DDoS is a common form of cyber-attack that you should prepare for and recognise.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) are related cyber-attacks but with essential differences regarding the attack source and scale. The “DoS” part of both is designed to prevent legitimate access to network devices, systems and resources.
Depending on the type of network service or asset that is under attack, the symptoms and consequences can include:
When it comes to DDoS, the “Distributed” element means that multiple systems (represented by IP addresses) are attacking the network service as opposed to there being just one single attack source. This can make the attack more effective and more challenging to resolve.
Monitoring will identify DDoS activity. Check out our infographic and make use of the content:
DDoS most often intends to rapidly overload the targeted service with information, data packets or requests to the point that it cannot cope and no new connections (logon sessions, web sessions, email transmissions etc.) are possible.
A common way of achieving this distribution of “attackers” is by networking computers together into a botnet. Derived from roBOT NETwork, botnets flood the target with repeated requests for access, continual transmission of data or spam email.
The computers in a botnet are infected with malware allowing the attacker to take command and control. They are then used in the attack, often without the knowledge of the system owner. Computers and devices that are weak, vulnerable or have not had default security credentials changed are rich pickings to be co-opted as part of a botnet. Malware infected systems like these are often traded on the dark web for assembly into botnets.
The rise of the Internet of Things (IoT) is driven by mundane devices that never previously required an internet connection. Devices such as the ubiquitous “connected fridge”, are thought to be part of the growing botnet problem. Typically, these devices are weak and vulnerable to attack and there are lots of them; perfect for creating a botnet if all you need is a way to send network packets.
This article from ITPRO is useful in describing how DDoS and other “Cyber threats are now industrialised, agile and well-equipped”.
American universities first demonstrated the intentional misuse of written commands within early shared networks in the mid 1970s. They proved remote instruction of other terminals to do something unexpected (e.g. shut down, re-boot, logoff the current user etc.).
However, it was the Morris worm of 1988 that is thought to be the first true DoS attack delivered by use of the internet. The Morris worm pre-dated the World Wide Web (invented 1989) when the internet was still largely a network used by academia, the military and research establishments.
The Morris worm code relied on being able to execute commands on different UNIX computers. It exploited a vulnerability of those machines where it would report back to the source to indicate the availability, a form of asset discovery and acknowledgement.
Crucially the worm was designed to check if the targeted computer already had any Morris worm code installed and running on it. If the answer was no then the worm would deploy on the machine. The problem was that the threshold of whether the answer was “yes” or “no” was incorrectly estimated, consequently the code replicated itself even where the answer was yes approximately 14% of the time.
The effect of the Morris worm was that the code created many more copies of itself on vulnerable systems than originally intended causing computers to fail as processing capacity became exhausted. Modern DOS attacks have a similar outcome and the DDoS variants magnify this by utilising a large number of separate attack launchers.
There are three broad categories to classify DDoS, meaning that cyber security preparations and defences need to account for all of them.
Volume based attacks – Using enormous amounts of traffic against a target. This common DDoS attack aims to absorb the bandwidth of a site’s network and systems and so block any other access.
Protocol attacks – Designed to exploit a weakness and consume the processing capability and resources of the target server, or something that directly protects the target such as a firewall. It does not target the available bandwidth. You will see attacks such as SYN floods and Ping of Death, attacks that overwhelm targets and makes them unresponsive.
Application attacks – Seeking to exploit known weaknesses and vulnerabilities within applications themselves. Application attacks are considered to be the most sophisticated type of DDoS attack to deploy. A connection is made by the attacker into the targeted application, who then exploits application processes and transactions to exhaust the host server. The aim is to crash web services by making a large number of requests that look legitimate.
Some DDoS attacks are used in combination to increase their complexity and potential impact. Sometimes the purpose is distraction and misdirection that divert the attention of security personnel whilst other cyber-attacks are being deployed.
Mirai malware (“future” in Japanese) was found in 2016, when it targeted significant volumes of traffic at Dyn, a company that provides Domain Name System (DNS) services to other organisations. This is the reason that this type of attack is more formally known as “DynDNS”. It is used to create and control botnets of computers including IoT devices that are weakly defended by default security credentials. Mirai is thought to have co-opted and made use of Digital Video Recorders in particular.
DNS is required to tie IP addresses to website names, making it easier for the user as they do not have to remember a string of IP numbers to access sites.
Mirai botnets rapidly flooded Dyn with millions of “lookup” requests and was quickly followed by TCP protocol attacks seen over a number of days. The TCP attacks attempted to make servers incapable of answering legitimate requests for traffic. The attack may have denied service to legitimate users for only a few hours, but it was long enough to draw worldwide attention and impact high profile organisations including Twitter, Sony Playstation and Spotify.
There are a number of reasons an attacker might employ DDoS techniques against your organisation, which means you need to prepare defences and be aware of them in your ISMS:
Click for the latest threats and cyber security advisories in the UK.
In order to prevent DDoS attacks from impacting your ISMS, you should consider the following:
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.