Over the past 10 years, more and more services have moved on line, often with an expectation of 24 hour access. This shift in business practice has spawned a new breed of cyber-attack designed to limit access to these services or the data they provide. Although not new, Distributed Denial of Service attacks (DDoS) have improved in sophistication and are now far more effective than they used to be. They can be easy to set up and hard to effectively defend against.
A DDoS attack uses ‘zombie’ PCs across a botnet – an illegal network of infected computers that carry out the attack, often from multiple countries. This makes them difficult to defend against as blocking individual computers has little impact. They can rapidly overwhelm servers and take websites, applications, emails and IP telephone calls off-line.
In 2015 Q4 alone, resources in 69 countries were targeted by DDoS attacks peaking at 1,442 attacks per day, with longest attack lasting 15 days [Kaspersky DDoS intelligence report for 2015]. It doesn’t even need computers to form the botnet: in October 2015, 20,000 requests per second were found to be coming from an IP Camera botnet consisting of around 900 cameras. DDoS attacks are often by criminals: throughout 2015, the Armada Collective cybercriminal group launched DDoS attacks, often targeting email. They demanded a payment of $6,000 to end the attack.
There is no limit to the types of sites that get attacked. We recently worked with a primary school that had been attacked from a wide number of IP addresses, mainly originating in Scandinavia. You wouldn’t think that being a primary school they were a high value target, but the fact they were a Microsoft Partner school and had the Microsoft logo across their homepage and numerous Microsoft links led to them being targeted. The attack took their website and email down for 3 days.
Testing the effectiveness of DDoS defence involves simulating a DDoS attack, which although fairly easy for the attacker with access to many illegally obtained ‘zombie PCs’ within a botnet, is not so easy for a legitimate company to organise. Unless you have access to a legal botnet (which is highly unlikely), you have to use an alternative way of generating traffic from a divergent range of IP addresses. This is usually carried out by using a few servers and spoofing multiple IP addresses. The issue with this is that most data centres will shut down your servers’ access to the internet if they detect this activity, ruining your DDoS test.
At Acutest, we utilise a system that is able to generate large amount of data to accurately simulate a DDoS attack. We do it in such a manner that we aren’t blocked by the data centre and by utilising servers in multiple countries we can simulate a sophisticated DDoS attack that will effectively test your defences.
In general, all DDoS attacks attempt to exhaust your TCP connection pool, exhaust your bandwidth or exhaust your CPU and/or memory. We tend to find that this is achieved through either a Volumetric or Application Layer DDoS attack.
A Volumetric Based Attack is by far the most common. They are designed to consume bandwidth or overload your servers. You may also see them described as flood attacks and they include ICMP, TCP/UDP and SYN floods.,/p>
Application-layer DDOS attacks are highly sophisticated and target services such as HTTP, SMTP and VOIP. They are designed to carry out human like tasks and as such can be hard to defend against without also blocking legitimate traffic. For example, such a task may repeatedly download a document, upload the contents of a form or simply request a page. This type of attack has risen by 50% a year over the past 3 years [State of the Internet Report].
Before you even look at DDoS testing, we recommend looking at the normal level of load your website or application can support by running a load test. If it’s already running to the limit, then it is unlikely that any type of DDoS defence is going to be effective. Having established the base level of load you can support, we can then start a well-planned DDoS test.
Be in no doubt that at some stage, your site, application or communication methods (email, VOIP etc) will be targeted. A well planned and executed test of the type offered by Acutest will give you the confidence that your defence mechanisms will defend against most DDoS attacks, leaving the attackers to find easier targets.