Cyber criminals are wreaking havoc with the IT systems of Australian enterprises, with six in 10 companies admitting they have suffered multiple system crashes lasting up to six hours, as the result of distributed denial-of-service attacks in the past year.
DDoS attacks use networks of compromised computers to send millions of requests to online services and websites at once, taking them offline.
According to a survey by BT Security, an arm of British Telecom, 63 per cent of Australian respondents were victims of multiple crashes lasting up to six hours, higher than the global average of 41 per cent. Organisations took 12 hours to fully recover from an especially powerful attack on average.
Phil Rodrigues, a BT director of security architecture, told IT Pro that DDoS attacks were becoming more frequent. The research indicates that 71 per cent of companies affected had been hit more than once.
“DDoS can be used for many purposes: protest, vandalism, bragging rights, extortion, industrial espionage and even as a prelude to war,” he said.
Rodrigues said the attacks were increasingly being used to distract IT security staff while the attacker pursued their real goal: system penetration. In one instance attackers had mounted a DDoS attack against a bank’s domain name server, blocking access to its site and diverting log in requests to a fake site in order to steal passwords.
Data from Arbor Networks - a company specialising in DDoS protection - suggests that most DDoS attacks have purposes other than simply blocking access, because they are quite short.
Nick Race, Arbor Networks’ country manager for Australia and New Zealand, said the company had seen 31,000 DDoS attacks against Australian systems in the first six months of 2014, with 91 per cent being of less than 30 minutes duration and less than 4 per cent greater than 24 hours.
“The biggest attack was 66 gigabits per second, back in February, but it only lasted for 14 minutes.”
He added that even a short DDoS attack could impact systems long after it had ended. “An attack can cause catastrophic damage to the infrastructure which could take it off line for much longer while people reboot systems etc.”
According to Rodrigues, such has been the growth in attacks that large organisations that are particularly susceptible, such as banks, now have DDoS protection running 24 x 7. “It used to be the case as recently as two years ago that people would only turn on DDoS protection when they needed it, but today global banks and most global organisations will always have DDoS mitigation in place.”
While on-premises DDoS protection has limited capability to block an attack - which can overload inbound communications links - Race said it was essential. “You need DDoS defence on-premise that is always on and ready to mitigate at a moment’s notice and also have a mechanism of linking up to the ISP above you when the attack gets so big that the internet links to the enterprise gets saturated.”
However DDoS attacks are becoming more sophisticated and moving from simply being high volumes to targeting specific applications. BT says that multi-vector attacks have increased 41 percent in the past year, and Rodrigues said, these were much harder to defend against.
“Rather than trying to simply flood the target’s network an attack will send lots of, for example, log in requests that never finish so the server is just waiting for the other half of the log in to come. It never does and eventually the server cannot listen any more and nobody else can log in. These have become very effective at slicing through network-based defences.”
While all organisations are vulnerable to such attacks, Rodrigues said it was import for smaller organisations to assess their impact and not overspend on defences. He suggested they could avail themselves of cloud-based services.
“Because the attacks are generally small they are able to take advantage of shared service on the Internet to absorb the DDoS traffic and only forward the clean traffic. They are easy to set up and cost-effective because they use shared platforms, but they are not going to stop a nation-state from attacking you.”