AS LONG AS there are devices online, there will always be attacks made on them.
This week saw the latest examples emerge with Government sites and a few others being forced offline.
The type of attack, Distributed Denial-of-Service (DDoS), isn’t new but the frequency in which they’re appearing is increasing. It’s the most common type of attack because of how easy it is to complete, but how much of an impact can they really have?
What exactly is a DDoS attack?
In basic terms, a DDoS attack overwhelms a site or service with traffic, causing it to slow down or go offline.
Such attacks have been carried out for as long as the internet existed, but the ease of which you can perform one – either by having the required skills or enough money to pay for an attack, provided you know where to look – makes one easy to carry out.
A good way to think about it is if you were to liken a site to a train. While they’re designed to handle both normal and rush-hour crowds, a DDoS attack sends a large crowd continuously pouring in without warning. If it becomes too much, it prevents the train from moving and stops people from traveling.
How are they carried out?
How it does this is through a process called a botnet. This is when computers and devices connected to the internet contribute to an attack, without the owners’ knowledge.
As part of the attack, these computers are infected by malware or a virus giving an attacker control of it. The owners of these computers are unaware this has happened, the most they will notice is slowdown or crashing.
Those controlling these computers, which can easily be a few computers or a hundreds of thousands depending on the attacker’s proficiency, can be used to target a site or service. Even if the attack doesn’t succeed, the source behind it is next to impossible to track down thanks to the number of devices used.
Sometimes botnets are referred to as a zombie army in that those computers affected have no control over what they’re doing, mindlessly sending traffic to the one target while it tries to defend itself.
A bit like this.
Why are they carried out in the first place?
There are a few reasons but usually boil down to two big ones: activism and extortion.
In the case of activism, the founder of security consultancy BH Consulting, Brian Honan, explained that this could be done by targeting a large or prominent service, and using the attention to highlight a message.
“It can be used as a tool to promote your messages so they’re normally followed up,” he says. “[The group] claiming responsibility for the attack and why they’ve done it”.
Extortion usually happens by a group threatening a DDoS attack unless a fee is paid. For most commercial sites, downtime can have an adverse effect on day-to-day business and can result in lost revenue. An attacker can target a site, tell them to give them money or suffer a DDoS attack, and carry it out until they pay it or figure out a way to counter it.
The cybersecurity services expert for Grant Thornton, Mike Harris, says such attacks are “making a comeback” compared to a few years ago.
“There are websites … [where] you can buy time and bandwidth and you can point it [towards a target],” he says. “It’s very straightforward to do with very little expertise”.
How big a concern are they?
They’re noticeable depending on the target but not at the same level as other cyberattacks that result in personal data being stolen. Honan says such attacks have been happening for a while , it’s just that they’re more noticeable now since the internet plays a major role in our lives.
“DDoS attacks are nothing new, they’ve been going around for decades”, says Honan. “What’s happening now is because we have more systems online and in a way, we’re more dependent on them, these attacks are becoming more visible”.
Yet the bigger problem is there being more devices starting to connect to the internet. While this was limited to PCs and smartphones, the Internet of Things is now connecting generic items like fridges, thermostats and other household items. While it offers greater functionality, it brings up its own major security issues.
Although it wasn’t an attack, a recent example saw the Nest thermostat deactivate in the US because of a software bug, leaving owners unable to change temperatures and heat up their home. If a bug can cause that much trouble, an attack can do worse.
“There is new technology, new services and new devices that are being created, installed and plugged into the internet with security being an afterthought, without security designed from the very beginning,” says Honan.
There is an onus on companies out there developing applications services and solution that they need to make sure they build in security at the beginning instead of making it an afterthought.
It’s a concern echoed by Harris who says what we could see now are industries, which traditionally never dealt with the internet, having to tailor their devices to cope.
“Industries that haven’t been dealing with security threats that the internet brings are now front and centre of those threats,” says Harris. “They’re not doing the things the IT world has learnt, to varying levels of success, to defend against these attacks, and that’s combined with organised crime working out how to monetise these threats”.
Most organisations prioritise functionality. [They ask] ‘Does it do what it’s supposed to do?’ instead of ‘Does it do things it’s not supposed to do?’
So it’s all doom and gloom, huh?
Not quite. While such attacks are easier to do, defences against them have improved and for every attack you hear about, there are many, many more that failed.
Unsurprisingly, the responsibility falls on companies and site owners themselves to have the necessary protection. It’s easier for larger corporations to fund, but smaller businesses should keep it in mind since such attacks can have a bigger impact on them.
[DDoSs are] not too complicated to conduct,” says Honan. “Likewise if you have the right tools and services in place, they’re easy to defend against too”.
For businesses that are going online, they will need to sit down and look at what services they’re offering online and the potential threats they face and put the right protection in place … The same way you’re opening up a physical office, you need to make sure you have security in place.
Harris offers similar advice for smaller businesses.
“There are things organisations can do [like] have conversations with their ISPs (Internet Service Provider) about what protection they can get,” he says. “Often what you see is organisations won’t do anything until they get hit … and they don’t realise how important their website is to their business.”
Yet a DDoS attack isn’t the be all and end all for anyone, and while they can take sites offline, Harris puts the situation into perspective.
The world hasn’t collapsed. A couple of sites are knocked out. It’s not the end of the world.
To embed this post, copy the code below on your site
have your say