The DDOS attacks: interruptions to the heart of businesses

The concern over the companies’ cybersecurity has been centered, for a long time, on preventing the access to information and guaranteeing it is not subtracted by anyone on an unauthorized way. The obsession with preventing the hackers who enter the internet to steal, kidnap or modify the information has taken the companies to invest big amounts of budget in order to create a perimeter defense to get a barrier which protects the information from the exterior.

Nowadays the cyber-attackers have diversified their interest beyond that of getting or modifying information. Has your company thought about the scenario in which the information is safe in a way no one can subtract or modify it? It will not do any good having the information safe if it’s not available at the moment it is required given the access has been disabled.

This cyberattack is about disabling the access to  information trough the unmeasured consumption of the resources from the IT infrastructure which contains the information (i.e. a web app). These limited resources can be the processing capacity of the server and/or the bandwidth that connects to the information. When these resources are consumed in an unmeasured way the IT infrastructure will not be able to process the access of any user, including those who are legitimate. There is no information theft there is just no way to access the information because of a saturation of resources. The end result is legitimate users not being able o access their information, hence the name of distributed denial-of-service.

At day, these kind of cyberattacks are frequently directed to web apps that provide online services. Many companies have e-commerce portals, information about them and even apps of their online business, whenever these apps are compromised by a distributed denial-of-service attack, the result is the dissatisfaction of the legitimate users and the impact on the reputation of the company.

As experts, we recommend protecting both interests focuses from an attack of this kind, like the server’s processing capacity and the bandwidth of the channel used to post the service on the internet. Some companies commonly include in their information’s security policies the prevention of denial-of-service within their servers. However, they consider less important to prevent a denial-of-service in the internet channel giving access to the published online app. Therefore, considering a perimetral firewall is vital but it does not make up for a defense mechanism that offers a prevention from a distributed denial-of-service. The former implies that the firewall restricts the access of users and/or unallowed traffic through the internet channel of the online post. Nonetheless, this internet channel may lead to an unmeasured amount of traffic and/or users that do not seek to go through the firewall but simply looking to create unmeasured congestion by saturating the bandwidth available of such channel.

The mechanism of this cyberattack consists in creating and sending out a big amount of traffic that contains no information of interest which is called malicious traffic. This traffic is directed against the online app with the objective of saturating the previously described resources. The attacker usually sends out this traffic from different origins simultaneously in a distributed way. This generates a great number of sources that send erroneous traffic to the online app simultaneously. The malicious traffic sources constantly change as the firewall blocks them generating a never-ending cycle. The result is the depletion of resources over traffic congestion causing the saturation and unavailability of the resources that are being occupied processing the malicious traffic. These repetitive processes are usually made by pirate programs called Bootnets, zombie servers and any device connected to the internet in general the attacker uses as a source of the malicious traffic. The more malicious traffic sources available globally there are and more geographically scattered they are, the attack will be more distributed and with better results.

Main characteristics and risks.

Basically, a distributed denial-of-services means to unable the online apps or services. e-commerce transactions, content delivery service, among many more of the current online apps, will not be able to be used by legitimate users during the attack. In normal conditions, It is likely for these kinds of attacks to happen in high traffic moments as: payday for the baking sector, retail holydays (black Friday, Christmas) or an event of high user attendance.

The risk these kinds of attacks pose to companies go from damaging the brand and services’ reputation to the lost of the opportunity cost by not making valid transactions because of unavailability of user’s access. When facing these risks, it is mandatory that the possibilities of every company are evaluated according to the type of business, sector it belongs to and the kind of online services it posts and uses for their daily operation. From this evaluation, companies must calculate, value and monetize how much the commercial impact these interruptions in their online apps and/or services would be. Aside from the sector differences and the size of the companies it is almost certain it will always be cheaper to invest in a security measure against these types of attacks than any other materialized risk caused by an interruption.

Why is it important to prevent them?

The direct effects of the distributed denial-of-services attacks include, among others: a bad experience of the end user, loss of clients, loss of income, low productivity, wasted work hours, etc. Finally, an impact in the reputation of the company which sometimes is hard to quantify. This is why we recommend having a series of measures that include:

• Firewalls to protect exposed servers
• Two or more balanced servers to alternate the load management
• A ready-to-go back up server
• Updated operational systems that are adequately configured to avoid the functioning of everything that is not required (hardening).
• Dimensioned internet channel with the required bandwidth and capability of automatically attend traffic peaks over short time frames that exceed the available bandwidth.
• Internet with an intelligent bandwidth that counts with automatic protection and detection mechanisms from massive flood of malicious traffic behavior that consumes the available bandwidth.
• Correlation systems of security events and resolution attention and response centers to these kind of attacks
• Attractive spots for the cyber-attackers such as Honeypots.
• Quarantine sites for suspicious traffic to be analyzed with no harm to the company’s exposed server as the ones created with the SandBox.