2013 was a “dynamic” year for distributed denial of service attacks, and 2014 likely will see the phenomenon intensifying, says Prolexic Technologies, which provides DDoS mitigation services.
A DDoS attack occurs when a malicious entity—an individual, organized criminal, or nation-state—deliberately floods a given victim’s computer system with much more data input than the system can handle. This can cause the system to crash, requiring emergency attention to deflect the attack and restore service. Often, such attacks are used as a means to hide attention from a secondary intrusion meant to collect personally identifying information of customers, insert other malware, or otherwise cause harm to the victim.
Some of the trends for 2013 that Prolexic chronicled include:
- DDoS attack volume increased month-to-month in 2013, with 10 out of 12 months showing higher attack volume compared to 2012.
- Smaller, stealthy, and more sophisticated application layer attacks increased by approximately 42%.
- High bandwidth, volumetric infrastructure layer attacks increased by approximately 30%.
- Average DDoS attack sizes continued to increase, with Prolexic mitigating numerous attacks over 100 Gbps, the largest peaking at 179 Gbps.
- Mobile devices and apps began participating in DDoS campaigns.
“It is critical in 2014 that enterprise defences continue to keep pace with the changing DDoS threat,” says Stuart Scholly, president, Prolexic. “In addition to increased vigilance and knowledge, enterprises should also validate services from any mitigation providers they have retained to ensure the latest threats can be blocked quickly and effectively.”
Murray Walton, chief risk officer, Fiserv echoes this: “The first question you need to ask your provider is, are you prepared? Have you thought about this and defined this as a foreseeable risk? Do you have detailed plans for dealing with this, in terms of the incident itself, business continuity, disaster recovery, and customer communications?”
He was speaking during the recent ABA webcast/briefing “Distributed Denial of Service Attacks: Managing and Mitigating the Threat.” This is the first of five cybersecurity briefings ABA will offer.
Through its experience of offering DDoS mitigation services to more than 6,000 financial institutions, Walton says Fiserv deals with one or two attacks per week, and that their frequency, duration, intensity, and complexity all are increasing. They generally come in two categories: volumetric attacks and application-layer attacks.
Volumetric attacks are most common and are the ones that flood a target address with massive data traffic. This typically overwhelms or exhausts firewalls, load balancers, and other infrastructure. Walton says these constitute about 80% of all attacks.
Application layer attacks are more sophisticated, crafted to look like legitimate traffic but seek out discrete application packets, such as those used for the site’s branch locator function, statement retrieval function, or search function, among others. While constituting about 20% of attacks now, Walton assumes that application-layer attacks may become more prevalent as defences against volumetric attacks improve.
Looking ahead, Walton recommends these steps:
- Create a DDoS playbook, planning your overall response in advance.
- Incorporate DDoS scenarios in your business continuity plans.
- Use your vendor management process to ask your technology service provider how they address DDoS, and who does what in the event of an attack, and whether their solution architecture puts you in a “glancing blow” or a “direct hit” position if a DDoS attack occurs.
Regarding technology investment, Walton recommends investigating options for:
- DDoS detection and blocking services from your data carriers.
- On-premises devices for customized deflection.
- Web application firewalls for environments susceptible to application-layer attacks.
“Plan ahead. This is a foreseeable threat and it can happen to you,” Walton says.