As defenses against network DDOS attacks improve, hackers find a new target
Connecting state and local government leaders
Brute-force denial of service attacks against networks are still the most common, but hackers are increasingly moving toward more efficient attacks on applications.
Part of GCN's series on DOS attacks.
Denial of service attacks, which traditionally have bombarded networks with an overwhelming number of requests, are getting more efficient. And as these attacks mature, it's more important than ever that agencies understand the kind of attack they're facing so they can mount an effective defense.
Denial of service is a descriptive term rather than a technical one: It describes the goal of the attack rather than the tools or techniques used. Although there are a variety of ways to carry out the attacks, they fall into two broad categories -- network and application.
Network DOS attacks can be fairly simple brute-force affairs, flooding servers with high volumes of requests or packets to overwhelm the resources. In general, the way to counter them is to maintain enough bandwidth and computing power to withstand the flood, but this might be impractical in a well-orchestrated attack that can generate hundreds or thousands of times the agency's usual traffic levels. Or agencies can identify the malicious packets and block them before they hit their servers, which is best done as close to the source of the attack as possible.
To date, network DOS attacks probably remain the most common, but as defenses against them improve, "we are seeing more attacks move up the stack to Layer 7 application attacks," said Rob Rachwald, directory of security strategy at Imperva. Application attacks do not rely on a flood of packets, but use specially formed — or malformed — queries and requests that servers have to deal with slowly until the number of available connections or the processing capacity is exhausted.
Application attacks can require less firepower than a network attack and can focus on a specific application or process rather than an IP address or range of addresses, making them more efficient.
Both types of attack often are strengthened by using multiple sources to deliver malicious traffic, a technique called distributed denial-of-service, or DDOS. Distributed attacks not only can deliver more firepower, but they can more easily hide by spreading out the source of the malicious traffic, making it more difficult to block. Botnets — networks of compromised computers often managed by a criminal enterprise — traditionally have powered this distribution, but hacktivist organizations also have encouraged volunteers to participate in attacks with easy-to-use tools. More recently, the rise of virtual computing has opened new avenues for distributed attacks.
"Now what we’re seeing is compromised cloud-hosting structures," said Fran Trentley, senior service line director for Akamai Technologies’ public sector business. Even more than botnets, cloud computing gives attackers access to large amounts of processing power and the ability to quickly move through large IP address spaces to hide their activities. This tactic "makes it extremely challenging to fight," he said.
According to a recent Prolexic report on observed DDOS activity in the fourth quarter of 2012, the majority of attacks targeted infrastructure (layers 3 and 4 of the OSI Model) by a wide margin, with application layer attacks accounting for just 25 percent. But Imperva’s Rachwald said attack tools for Web applications appear to be a growth area in the underground economy. "There is something going on when black hats start developing tools," he said.
One such tool that has gained attention in the past year is the Low Orbit Ion Cannon (LOIC), apparently used by Anonymous in its January 2012 Operation MegaUpload attacks that targeted government and entertainment industry sites.
LOIC, originally written in C# as a downloadable app to enable widespread participation in a DDOS attack, has evolved to become a Web application itself. Mobile LOIC is written in JavaScript that is automatically downloaded to a user’s browser and executed when visiting the attack site. As long as the page remains open in the attack browser, the script repeatedly requests images from the target page, which can outstrip the server’s capacity when the attack is multiplied enough times.
Both network and application layer attacks have traits in common. It is the motive — denial of service — that defines them, not malware. They exploit a network or a server’s finite resources rather than its vulnerabilities, so it is difficult to defend against them by patching or updating software and hardware, although hardening systems can help. Operating systems and applications can be configured to disable services and applications not required for their missions; blacklists can be used to block traffic from known malicious sites; and service screening at edge routers can help to decrease loads from unwanted or improper traffic.
But while these steps can help reduce the attack surface, attacks still are possible and can quickly overwhelm resources. And although a denial-of-service attack usually does not damage systems or steal information, neither are the attacking infrastructures affected by the defense; the attackers remain capable of launching another attack as soon as the guard is lowered.
PREVIOUS: Surviving denial-of-service? You need outside help to keep from going under.
NEXT STORY: Denial-of-service attacks: It's a problem, bro