DDoS as a distraction: The one-two cyberpunch

By Vann Abernethy , written on January 29, 2014

From The News Desk

In the first half of 2013 there were more than 168,000 distributed denial-of-service (DDoS) attacks. Traditionally their purpose has been to make a site or service unavailable for some duration via flood-type attacks that overwhelm the target – like a million callers dialing into a single phone line, resulting in constant busy signals.

Practically every mega-trafficked site has had to cope with them. Sometimes hackers – the group Anonymous, for example – have deployed them as a form of political protest.  Other times they have been state sponsored, like the rampant DDoS attacks that Iran purportedly unleashed against Bank of America, Citigroup, HSBC and JPMorgan Chase. They don’t just happen here in America either. China was smacked with a massive DDoS attack, too. Whoever launches the attack, the result is basically the same: systems go down, resources are unavailable, and the victim has to scramble to fix everything.

Recently, however, there has been a rise in a different sort of DDoS attack that are designed as smokescreens to obscure other criminal activity, such as theft of intellectual property, banking, and financial records, stolen customer data, or even vulnerability probes. The intent here is not to shut down a particular website, but to distract security teams long enough so that the real attack goes unnoticed.

In November 2011, the FBI warned of one such attack type, which relies on the insertion of some form of malevolent code. When the attacker is ready to activate the malware, a DDoS attack is launched to distract and occupy defenders, as was the case with the Zeus malware variant that targeted banking institutions. Considering most malware goes undetected for long periods of time, even a small DDoS attack should be a red flag that something else may be going on.

Another trend is even more sinister with the DDoS attack itself designed to probe a network looking for chinks in the armor. Such an application-layer DDoS attack could be used to directly interact with back-end systems looking for previously undiscovered design flaws or security holes and the means to exploit them. Sometimes they look as if application creators designed them and they take advantage of previously unknown flaws, which is the classic zero-day attack scenario.

Still another DDoS attack serves two purposes. It hobbles a company or organization’s computer network or website while also probing for vulnerabilities, such as a network flood masking a vulnerability scan. It’s like a recon team sent to scope out an enemy's position while they’re under some sort of long-range barrage. In fact, both of these schemes proved successful for a group of DDoS attackers this past November that made off with nearly $1 million in stolen bitcoins from BIPS, a Denmark-based payment processor.

How to defend against a DDoS attack

General probing would likely be caught if the victim has even modest security protections, which is, unfortunately, not always the case. While under duress, systems charged with either blocking or alerting suspicious activity could be under too much strain to be fully effective.

With other DDoS attacks, the best defense here is to have a purpose-built DDoS defensive service or appliance that keeps the bad traffic off of your core security systems. DDoS scrubbing centers will take the traffic off of your network, filtering out the bad and allowing the good to continue on, which relieves the stress. As for general defenses, a good start is to deploy multiple teams  – one to work on the DDoS defense itself, another that goes into hyper vigilance mode to look for evidence of other attacks. Even after the DDoS attack ends, security teams should do a complete, methodical review of all systems to ensure no other breaches have taken place.

The most successful security programs incorporate some form of data forensics to uncover threats and breaches that might otherwise go unnoticed. Doing this requires some preparation work to set up sensors that routinely grab data from sources beyond the core security and routing devices. Any irregularities in the data will indicate that something suspicious is going on outside the initial DDoS attack.

The DDoS landscape is constantly evolving, and so are the motives behind attacks. With a little advance planning, however, it’s possible to take the sting out of these attacks.

[Image via Thinkstock]