DDoS attacks: What happens when they come for you?

Share Post

After the recent high-profile Distributed Denial of Service (DDoS) attacks, there have been a lot of questions about how these attacks can be prevented. A DDoS attack attempts to make a service unavailable by overwhelming it with traffic from many — sometimes millions — of sources.

Here are a few important things to consider when we talk about today's DDoS attacks:

Attacks are extremely targeted — unlike other kinds of Internet security threats, there is typically only one target for a DDoS attack. The recent Dyn attacks made headlines because Dyn provides Domain Name Service infrastructure to major Internet companies such as Twitter, Netflix, Spotify, and Reddit.

There are many different motives behind DDoS attacks — several DDoS attacks were used as a temporary distraction while other attacks with larger political or financial motives were being perpetrated. Other reasons include hactivism (in 2013 the hacker group Anonymous petitioned the White House to recognize DDoS attacks as a legitimate form of protest), and cyber vandalism. Increasingly, companies are threatened by DDoS attacks if they refuse to pay a ransom. The Armada Collective and Lizard Squad are the two most famous organizations carrying out — or at least threatening to launch — these kinds of attacks.

Sample Armada Collective Ransom Note, Source:

Attacks are increasing in size and complexity — because of the proliferation of unsecured IoT devices and the release of the Mirai malware source code, we can expect the number of DDoS attacks to increase. Further, the size of recent attacks and the complexity of attacks increased significantly. In the first quarter of 2016, 64% of attacks used multiple attack types and 75% of attacks peaked at over 1 Gbps. (Source: A 1 Gbps DDoS attack is enough to knock most organizations' networks completely offline, but recent attacks have become even more powerful. In September, French hosting provider OVH's servers were hit by multiple attacks exceeding 100 Gbps.

Prevention — being a good network citizen

As the types of attacks become increasingly more complex, prevention remains in the forefront and is multi-layered (just like any good security strategy!). So what can you do to prevent DDoS attacks to your organization or prevent your devices from being part of a DDoS attack?

1. Manage your passwords. The simplest, preventive measure is to change your password on all Internet connected devices from the manufacturer's default. As David Kennerly, Director of Threat Research at Webroot, recently commented: "If the default password had been changed, many of the webcams and CCTV devices that formed the botnet army would not have been successful." Secure your IoT devices by changing the default password!

2. Monitor and manage your network infrastructure. In a post-attack analysis, Dyn's Chief Strategy Office, Kyle York, said that the attack contained "specific nuances to parts of our infrastructure." One common technique for gathering intelligence on network vulnerabilities is scanning. Port scanning is used to determine what ports are open for a given IP address. DDoSers can use this information to target ports that respond to packets, versus those that may be firewalled off. Also, it is also crucial to have real-time data analytics in order to quickly detect and neutralize threats. As DDoS attacks grow, it is worth looking at and creating a multi-layered DDoS protection plan in both the network and application layers.

With Aruba's Mobility Controller, the Policy Enforcement Firewall has an optional service called WebCC that includes IP reputation, Geolocation filtering, and URL filtering.  Adding this service, which leverages the best in class service of Webroot's global infrastructure, can give a strong layer of protection from these types of attacks.

In the image above, we see an example of a malicious IP. In this case, the IP is associated with two threat types — Spam sources and Scanners. In looking at the associated data, we also see the threat level distribution for the country and city where the IP is hosted (Bangalore, India). The IP has a very low reputation score (9 out of 100) and a history of being on the threat list. Finally, we can see that the IP's expected removal is November 20, 2016. If the IP exhibits no additional malicious behavior between now and the Removal date, the IP will be removed from the threat list, but will be closely monitored.

The IP threat list that WebCC uses currently contains almost eight million threat IPs. Each IP on the list has exhibited malicious behavior. Within the current list, there are approximately 213,000 IPs that are classified as Scanners. Again, these are often used go gain information about vulnerabilities prior to a DDoS attack. The Scanners category includes all IP reconnaissance activities, such as probes, host scans, domain scans, and password brute force attacks. The IP threat list also contains a Botnet category, which currently contains approximately 18,000 IPs. The Botnet category includes Botnet Command & Control channels and infected zombie machines controlled by a botherder. Blocking access to these IP categories (Scanners and Botnet) can help prevent DDoS attacks.

Once WebCC has passed high risk IPs onto the Aruba Policy Enforcement Firewall, it can then enforce security policy to prevent these types of breaches on the network by blocking these risky IP addresses.

For more information on the WebCC bundle service in the Aruba Policy Enforcement Firewall, either view our WebCC datasheet or our Policy Enforcement Firewall datasheet.