Where you most frequently see them, actions being taken to reduce them and feelings on approach to education
Insight
A denial of service (or DoS) attack is designed to disrupt a website in order to prevent legitimate users from accessing it. The attackers ‘flood’ the website with many connection requests, far too many for the website to handle, and as a result the website is knocked offline.
In 2000, a high school boy single-handedly shut down some of the world’s biggest websites, including eBay, Amazon and Yahoo. It was the first time a ‘denial of service’ attack gained public attention. “Back then, hacking efforts such as this were purely ego-driven; done simply for notoriety among other hackers”, says David Powell, NAB’s Chief Security Officer. “These days, the motivation behind denial of service attacks is financial gain and service disruption, and unlike the events in 2000, the more likely victims of these attacks are not large corporations, but small business websites.”
A denial of service (or DoS) attack is designed to disrupt a website in order to prevent legitimate users from accessing it. The attackers ‘flood’ the website with many connection requests, far too many for the website to handle, and as a result the website is knocked offline.
These attacks may be perpetrated by criminal groups using ‘botnets’ – a large number of computers which have been infected with malicious software, rendering them as ‘zombies’ which can be controlled remotely by an attacker. Powell says “criminals create botnets through surreptitiously installing malicious software onto a vast number of computers. The malicious software may be spread by spam emails or by poisoning websites – so anyone who visits that website is infected. The owner of the computer has no idea their computer has been compromised and is being used as part of a robot army”.
The number of zombies in a botnet can be in the many thousands, and they can be located anywhere in the world. When an attack is launched in this way, it’s known as a ‘distributed denial of service’ (DDoS) attack, meaning the website is being inundated with requests from locations around the world in very high numbers. Powell says “this can make the sheer volume of the attack difficult for the victim website to withstand, and it simply falls over.”
More recently, hacktivist groups, such as Anonymous, have used DDoS attacks as a form of social and political protest. “Knocking a website offline is a pretty effective way to guarantee media attention” says Powell.
But it is not only large companies that suffer from DDoS attacks – any business with an online presence is at risk of being targeted. Research conducted last year found that 64% of Australian businesses had been targeted by DDoS attacks[1]. “DDoS is an effective tool used by criminals for extortion. An attack group may threaten an online business with a DoS attack unless the business pays a ransom” says Powell.
In May this year, a group known as the ‘DD4BC Team’ has been targeting businesses in Australia and New Zealand. The group has previously targeted businesses in Europe. Their motivations are purely financial; they are threatening businesses with DDoS attacks in order to extort payments in Bitcoins (a type of virtual currency). The extortion attempt may begin with a short DDoS attack to demonstrate to the target the potential impact after the ransom demand has been issued. The ransom demands have been issued via email.
Being unable to offer an online service even for a small time period can be crucially damaging for an organisation. Powell explains “the cost of DDoS attack goes beyond lost revenue; the cost of restoring an Internet system can include many aspects, such as reconfiguring the server or replacing damaged infrastructure. Then there is reputational damage to the company’s brand – customers can lose confidence in the security of a business or service if it is inaccessible or labelled as a target”. A survey conducted in the US in 2014 found on average, a DDoS attack costs a business roughly $40,000 per hour. [2]
While there is little a business can do deter a potential attack, Powell says SMBs can take some precautionary measures to be prepared: “basic IT security hygiene must be observed in order to prevent giving criminals ‘footholds’ in infrastructure.”
Step One: Ensure security patches are regularly applied, and ensure websites run on separate infrastructure to critical business systems.
Step Two: Understand what your online presence is – some websites contain only static information, like service brochures and product descriptions, an attack on a brochureware site may cause reputational damage to your business, however, if your website is also transactional, that is, customers can purchase directly from you, then an attack will impact both your revenue and reputation.
Step Three: Don’t wait until something goes wrong – Understand who’s hosting your website, get to know the services your Internet Service Provider (ISPs) may offer, and any service level agreements that are part of your contract, including monitoring of the performance and uptime of your website. Some ISPs may partner with a cloud-based DDoS mitigation service, for example Telstra offers their Arbor solution and Optus partners with Akamai. Cloud-based mitigation services are scalable to the size of the attack. The aim of cloud-based DDoS mitigation solutions is to ensure websites being attacked remain online and accessible for real customers. “Cloud-based DDoS mitigation services can be effective in defending against DDoS attacks” says Powell, “they often offer their clients a detection service to alert if a website is being attacked, and because they are cloud-based, can be deployed quickly without hardware, software or web application changes.”
Step Four: Have an incident response plan in place – Finally, Powell says “Businesses should follow their incident response plan and keep in close contact with ISPs and any other DDoS mitigation providers. The guiding objective through any response is to continue providing an accessible service to customers. Where that is not possible, the objective is to restore normal business function as soon as possible.”
More from NAB:
© National Australia Bank Limited. ABN 12 004 044 937 AFSL and Australian Credit Licence 230686.