DDoS Attackers Change Their Game Plans
Security experts have battened the hatches against the floods of illegitimate traffic that can take down websites, but the perpetrators of DDoS attacks have refined their own methods to increase the impact while requiring fewer resources to mount their assaults. "The big trend over time will be ... smarter, more nimble, more agile attacks," said Akamai's Michael Smith.
08/05/13 5:53 PM PT
DDoS attacks have long been a weapon of Internet dissidents to punish those they disagree with, while cybercriminals use them to create a digital smoke screen to hide their misdeeds.
DDoS attackers typically flood a website with traffic, denying legitimate users access to the server.
That tactic still works, but because computer networks are becoming more resilient, the firepower needed to launch an effective attack is steadily increasing. In response to that development, DDoS warriors are modifying their methods to get more bang for their bytes.
One of those methods is the application DDoS attack.
"An attacker looks for a weak point in an application instead of trying to consume your network resources," Marc Gaffan, founder of Incapsula, told TechNewsWorld.
Over time, network resources have become more robust, Gaffan explained, so saturating them requires larger and larger DDoS attacks, which require more and more resources. Application attacks can consume fewer resources for an attacker but more for a defender.
A search function on a website, for example, might be calibrated to handle 10 searches a second. "If I hit your server with 15 or 20 searches per second, I'm going to bring it to a halt," Gaffan explained.
"I don't have to invest in a lot of bandwidth," he continued. "I don't have to invest in a lot of infrastructure. It's a DDoS attack that's a surgical strike."
Logging pages at banking sites have been popular targets of application DDoS attacks. When you try to log into your bank, a whole set of backend functions are set in motion that consume CPU cycles at the site: Fraud prevention is activated; databases are accessed; authentication routines are run; and geolocations are reviewed. All those processes are performed whether a legitimate user or a fake persona is trying to log into the site.
As an attacker, I would hit "that login page with a bunch of bogus usernames and passwords, knowing each request uses up a lot of resources of the target so I don't have to send as much volume of attack traffic as I would if I were trying to flood the network," Michael Smith, CSIRT director for Akamai Technologies, told TechNewsWorld.
"The big trend over time will be smaller attacks with the impact of larger attacks -- smarter, more nimble, more agile attacks," he said.
Schools Dazed About Security
Captain Renault would probably be as shocked as he was that gambling took place in Casablanca by a survey last week that found many colleges and universities blithely transmit documents containing sensitive personal information and financial data about their students and those students' families in naked emails.
The survey by Halock Security Labs of 162 institutions in the United States -- including schools from the Big Ten, Big Eight and Ivy League -- found half of them allowed sensitive information to be transferred in unencrypted emails and a quarter of them actually encouraged such behavior.
Those findings aren't that surprising. After all, data breaches are so common at universities that TeamShatter, a database security news, research and analysis firm, has an annual Higher Education Data Breach Madness report coinciding with the bracket choices with the NCAA March Madness basketball tournament in the spring.
This year's report found 51 universities suffered data breaches in 2012, resulting in more than 1.9 million records being compromised -- an all-time high, and more than three times the number compromised in 2011.
Are universities that different from any other organization dealing with high-touch customers?
"I just applied for a mortgage, and a lot of what I did was sending tax documents either by fax or through email," Matthew Green, a professor specializing in cryptography in the computer science department of Johns Hopkins University, told TechNewsWorld.
"I think everybody expects these things will be sent in the clear over email," he added.
- July 26. Walgreens ordered by Marion County, Ind., jury to pay a woman US$1.44 million in damages because one of its pharmacists looked up and shared her prescription history without authorization.
- July 29. Halock Security Labs releases survey showing half of U.S. higher education institutions allow sensitive information to be sent to them via email without encryption and 25 percent encourage such transmissions. Use of unprotected email for transmitting financial and personal information puts that information at risk in the event of a data breach, the company said.
- July 31. Oregon Health and Science University reveals more than 3,000 patients may have their personal information used for promotional and other purposes because the data was stored in a consumer Google Drive account. Patients admitted to the facility between January 2011 and July 3, 2013, could be affected by the flub.
- Aug. 1. District of West Vancouver in Canada warns residents that one of its Web services was breached, compromising personal information, including information on tax and utility bills, bylaw notices, and dog and business license information. No payment card, social insurance numbers or driver's license info was at risk, because the district does not collect and store that kind of data online.
Upcoming Security Events
- Aug. 12-14. AIAA Aviation 2013: Focus on Cyber Threats to Airline Industry. Hyatt Regency Century Plaza, Los Angeles. Sponsored by American Institute of Aeronautics and Astronautics. Registration: By July 26, $1,000 non-member; $840 members. July 27-Aug. 10, $1,100 non-member; $940 members.
- Sept. 10. AT&T Cyber Security Conference. New York Hilton Midtown Hotel, Avenue of the Americas, New York City. Free with registration.
- Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.
- Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian /The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
- Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros+VAT delegate/495 euros+VAT one day pass; Discount from July 27 -Sept. 27, 995 euros+VAT delgate/595 euros+VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros+VAT delegate/695 euros+VAT one day pass; Onsite from Oct. 28-31, 1,295 euros+VAT.
- Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.