September 24, 2015

Protecting your business from denial of service

A denial of service (or DoS) attack is designed to disrupt a website in order to prevent legitimate users from accessing it. The attackers ‘flood’ the website with many connection requests, far too many for the website to handle, and as a result the website is knocked offline.

In 2000, a high school boy single-handedly shut down some of the world’s biggest websites, including eBay, Amazon and Yahoo. It was the first time a ‘denial of service’ attack gained public attention. “Back then, hacking efforts such as this were purely ego-driven; done simply for notoriety among other hackers”, says David Powell, NAB’s Chief Security Officer. “These days, the motivation behind denial of service attacks is financial gain and service disruption, and unlike the events in 2000, the more likely victims of these attacks are not large corporations, but small business websites.”

What is denial of service attack?

A denial of service (or DoS) attack is designed to disrupt a website in order to prevent legitimate users from accessing it. The attackers ‘flood’ the website with many connection requests, far too many for the website to handle, and as a result the website is knocked offline.

These attacks may be perpetrated by criminal groups using ‘botnets’ – a large number of computers which have been infected with malicious software, rendering them as ‘zombies’ which can be controlled remotely by an attacker. Powell says “criminals create botnets through surreptitiously installing malicious software onto a vast number of computers. The malicious software may be spread by spam emails or by poisoning websites – so anyone who visits that website is infected. The owner of the computer has no idea their computer has been compromised and is being used as part of a robot army”.

The number of zombies in a botnet can be in the many thousands, and they can be located anywhere in the world. When an attack is launched in this way, it’s known as a ‘distributed denial of service’ (DDoS) attack, meaning the website is being inundated with requests from locations around the world in very high numbers. Powell says “this can make the sheer volume of the attack difficult for the victim website to withstand, and it simply falls over.”

More recently, hacktivist groups, such as Anonymous, have used DDoS attacks as a form of social and political protest. “Knocking a website offline is a pretty effective way to guarantee media attention” says Powell.

Businesses at risk of being targeted

But it is not only large companies that suffer from DDoS attacks – any business with an online presence is at risk of being targeted. Research conducted last year found that 64% of Australian businesses had been targeted by DDoS attacks[1]. “DDoS is an effective tool used by criminals for extortion. An attack group may threaten an online business with a DoS attack unless the business pays a ransom” says Powell.

In May this year, a group known as the ‘DD4BC Team’ has been targeting businesses in Australia and New Zealand. The group has previously targeted businesses in Europe. Their motivations are purely financial; they are threatening businesses with DDoS attacks in order to extort payments in Bitcoins (a type of virtual currency). The extortion attempt may begin with a short DDoS attack to demonstrate to the target the potential impact after the ransom demand has been issued. The ransom demands have been issued via email.

Being unable to offer an online service even for a small time period can be crucially damaging for an organisation. Powell explains “the cost of DDoS attack goes beyond lost revenue; the cost of restoring an Internet system can include many aspects, such as reconfiguring the server or replacing damaged infrastructure. Then there is reputational damage to the company’s brand – customers can lose confidence in the security of a business or service if it is inaccessible or labelled as a target”. A survey conducted in the US in 2014 found on average, a DDoS attack costs a business roughly $40,000 per hour. [2]

Four steps to protect your business from Denial of Service

While there is little a business can do deter a potential attack, Powell says SMBs can take some precautionary measures to be prepared: “basic IT security hygiene must be observed in order to prevent giving criminals ‘footholds’ in infrastructure.”

Step One: Ensure security patches are regularly applied, and ensure websites run on separate infrastructure to critical business systems.

Step Two: Understand what your online presence is – some websites contain only static information, like service brochures and product descriptions, an attack on a brochureware site may cause reputational damage to your business, however, if your website is also transactional, that is, customers can purchase directly from  you, then an attack will impact both your revenue and reputation.

Step Three: Don’t wait until something goes wrong – Understand who’s hosting your website, get to know the services your Internet Service Provider (ISPs) may offer, and any service level agreements that are part of your contract, including monitoring of the performance and uptime of your website. Some ISPs may partner with a cloud-based DDoS mitigation service, for example Telstra offers their Arbor solution and Optus partners with Akamai. Cloud-based mitigation services are scalable to the size of the attack. The aim of cloud-based DDoS mitigation solutions is to ensure websites being attacked remain online and accessible for real customers. “Cloud-based DDoS mitigation services can be effective in defending against DDoS attacks” says Powell, “they often offer their clients a detection service to alert if a website is being attacked, and because they are cloud-based, can be deployed quickly without hardware, software or web application changes.”

Step Four: Have an incident response plan in place – Finally, Powell says “Businesses should follow their incident response plan and keep in close contact with ISPs and any other DDoS mitigation providers. The guiding objective through any response is to continue providing an accessible service to customers. Where that is not possible, the objective is to restore normal business function as soon as possible.”

Assistance and advice

  • Businesses need to be alert to extortion attempts made via email or phone and are advised to notify law enforcement immediately.
  • SMBs are encouraged to report such incidents to the Australian Cybercrime Online Reporting Network (ACORN). This is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. Certain reports will be directed to Australian law enforcement and government agencies for further investigation.
  • Major businesses are encouraged to report cyber security incidents to Australia’s Computer Emergency Response Team, CERT Australia, through the following channels:

More from NAB: