Don’t be distracted by the DDoS flashbang


This is a guest article written by Stuart Winter-Tear. The author’s views are entirely his own and may not reflect the views of IT Governance.

Distributed denial-of-service (DDoS) attacks are on the rise and have been for some time. Report after report show not only the growth in such attacks, but the scale, multi-vector nature and complexity is on the increase.

The above is of no surprise when you consider the advent of a new acronym: ‘DDoSaaS’ or DDoS-as-a-service. Put simply, rent a bot from a bad guy, complete with a considerable number of already compromised ‘zombie’ machines, and aim it at your target.

Defending against a DDoS attack

These attacks are notoriously difficult to defend against. With a ‘zombie army’ of IP addresses, IP blocking just isn’t going to cut it.

Bandwidth is a precious commodity and DDoS attacks saturate our bandwidth, potentially flooding the paths we use to communicate with one another and our customers. This constitutes an assault on the third leg of the CIA security triad – namely, availability.

An interesting and not-oft-noted trend of DDoS attacks is that the vast majority of them last less than 30 minutes.

Given that, surely we can breathe a collective sigh of relief and carry on with our day. After all, it’s only one leg of the security triad and a brief problem at that. And, surely, this is all the realm of disgruntled online gamers and hacktivists, and no real concern of ours, right?

I don’t think so.

If you squint and read very carefully within news reports and whitepapers on DDoS attacks and trends you often find a more sinister and altogether more cunning use. DISTRACTION.

Nothing gets the heart pumping and mind racing quite like a massive DDoS attack; criminals know this and leverage it to their advantage.

Criminals may leave just enough bandwidth available during a DDoS attack to conduct other activities – their real intentions.

I’m calling this the ‘DDoS flashbang’

The flashbang is essentially a non-lethal stun grenade that produces powerful explosive light and noise, and is used by law enforcement and others to distract and disorientate the target.

I’m sure you’re beginning to see the parallels here.

DDoS attacks are being used to confuse, panic and disorientate IT security and focus them on mitigating the DDoS while the attackers perpetrate a quieter, stealthy, sniper-like entry.

I know this all sounds dreadful – how on earth do we protect ourselves from something like this?

The first thing to note is the distraction is thought to be necessary. We can extrapolate that given normal operational activities the criminals’ real intentions would have been flagged and their endeavours thwarted.

As long as we have all our standard mitigations, controls, safeguards, monitoring, patching and so forth in place, the above assumption will be generally correct. The majority of successful attacks and criminals are not nearly as sophisticated as we might imagine.

The take-home message

During a DDoS attack, don’t panic.

I know the pressure is on, but so do the criminals. Keep calm. During a DDoS attack, be even more vigilant for other unusual network activity. Monitor all changes on the network like a hawk. After the attack, check and double-check for changes, anomalies and unusual activity.

Remember: sensationalist media reports on DDoS attacks bringing down giants of the Internet for brief periods is not the most pernicious aspect for us to ponder.

You may not have considered your organisation an obvious target for DDoS, but I hope you realise that it is, and perhaps not for the reasons you initially thought. And if it does happen, as hard as it will be, stay as calm and focused as possible, and watch to see if it all the noise is, in fact, simply a feint.