Security experts have battened the hatches against the floods of illegitimate traffic that can take down websites, but the perpetrators of DDoS attacks have refined their own methods to increase the impact while requiring fewer resources to mount their assaults. “The big trend over time will be … smarter, more nimble, more agile attacks,” said Akamai’s Michael Smith.
DDoS attacks have long been a weapon of Internet dissidents to punish those they disagree with, while cybercriminals use them to create a digital smoke screen to hide their misdeeds.
DDoS attackers typically flood a website with traffic, denying legitimate users access to the server.
That tactic still works, but because computer networks are becoming more resilient, the firepower needed to launch an effective attack is steadily increasing. In response to that development, DDoS warriors are modifying their methods to get more bang for their bytes.
One of those methods is the application DDoS attack.
“An attacker looks for a weak point in an application instead of trying to consume your network resources,” Marc Gaffan, founder of Incapsula, told TechNewsWorld.
App Attack
Over time, network resources have become more robust, Gaffan explained, so saturating them requires larger and larger DDoS attacks, which require more and more resources. Application attacks can consume fewer resources for an attacker but more for a defender.
A search function on a website, for example, might be calibrated to handle 10 searches a second. “If I hit your server with 15 or 20 searches per second, I’m going to bring it to a halt,” Gaffan explained.
“I don’t have to invest in a lot of bandwidth,” he continued. “I don’t have to invest in a lot of infrastructure. It’s a DDoS attack that’s a surgical strike.”
Logging pages at banking sites have been popular targets of application DDoS attacks. When you try to log into your bank, a whole set of backend functions are set in motion that consume CPU cycles at the site: Fraud prevention is activated; databases are accessed; authentication routines are run; and geolocations are reviewed. All those processes are performed whether a legitimate user or a fake persona is trying to log into the site.
As an attacker, I would hit “that login page with a bunch of bogus usernames and passwords, knowing each request uses up a lot of resources of the target so I don’t have to send as much volume of attack traffic as I would if I were trying to flood the network,” Michael Smith, CSIRT director for Akamai Technologies, told TechNewsWorld.
“The big trend over time will be smaller attacks with the impact of larger attacks — smarter, more nimble, more agile attacks,” he said.
Schools Dazed About Security
Captain Renault would probably be as shocked as he was that gambling took place in Casablanca by a survey last week that found many colleges and universities blithely transmit documents containing sensitive personal information and financial data about their students and those students’ families in naked emails.
The survey by Halock Security Labs of 162 institutions in the United States — including schools from the Big Ten, Big Eight and Ivy League — found half of them allowed sensitive information to be transferred in unencrypted emails and a quarter of them actually encouraged such behavior.
Those findings aren’t that surprising. After all, data breaches are so common at universities that TeamShatter, a database security news, research and analysis firm, has an annual Higher Education Data Breach Madness report coinciding with the bracket choices with the NCAA March Madness basketball tournament in the spring.
This year’s report found 51 universities suffered data breaches in 2012, resulting in more than 1.9 million records being compromised — an all-time high, and more than three times the number compromised in 2011.
Are universities that different from any other organization dealing with high-touch customers?
“I just applied for a mortgage, and a lot of what I did was sending tax documents either by fax or through email,” Matthew Green, a professor specializing in cryptography in the computer science department of Johns Hopkins University, told TechNewsWorld.
“I think everybody expects these things will be sent in the clear over email,” he added.