If you are going to discuss Distributed Denial of Service (DDOS) attacks then arguably there is no better person to discuss it with than an expert from a company that protects 90% of the world’s tier one service providers from DDOS attacks. NETSCOUT Arbor includes TM and Maxis amongst their customers, they have been awarded Frost & Sullivan’s Asia anti-DDOS vendor of the year and Tony Teo, (Sales Engineering Director for Asia) is a veteran of the company. Cyber Security Asean were lucky enough to catch up with Tony at Cybersecurity Malaysia’s ACE event which took place this week at the Royal Chulan Hotel in KL.
Tony explained reminded us of three areas of Cyber Security – namely Confidentiality, Integrity and Availability. NETSCOUT Arbor who specialise in DDOS sit in the less talked about area of availability. This combined with the fact that DDOS attacks are an old form of cyberattack (In fact the first ever DOS attack was recorded in 1974 initiated by a 13-year-old student curious to see if he could bring down a computing lab) means that it doesn’t grab the same headlines as newer attack methods like malware.
Tony explained that DDOS attacks are on the rise. Tony suggests that because DDOS attacks do not require coding like ransomware, these attacks can be performed by anyone that has access to the resource to flood bandwidth with traffic, in effect any organised group with only very basic IT skills can mobilise an attack. Perhaps, even more important, Tony explained that DDOS attacks themselves are changing.
The classic DDOS attack is described as ‘volumetric” it requires a lot of computing resource to execute and often teams of people to create enormous amounts of network traffic to bring down service providers. That is where NETSCOUT Arbor’s business started. Today Tony explained that DDOS methods have evolved. He spoke of application attacks and stateful attacks.
These can target individual applications or even stateful devices like firewalls to bring them down. The worrying thing here is to launch an application or stateful DDOS attack, really isn’t challenging at all, it doesn’t require much data or traffic to be created so can be launched even by single actors without any deep IT skills.
Tony explained, the ease of attack, the high success rates and the fact that the targets for DDOS are evolving means that despite it being an old form of cyber problem, it is not going away, it continues to reinvent itself and is a problem that continues to grow.
Coming back to the idea of Stateful attacks, it seemed ironic that a device like a firewall designed to secure your network could actually be a weak link and an attack target. Tony explained that stateful firewalls, have to record open transactions on your network, they have a finite amount of space on to record these transactions and that ’s where a DDOS attack will target, flooding the cache of transactions until it brings the firewall down. Tony explained that their DDOS defence device is “stateless” and can sit in front of a firewall.
This kind of evolution has meant that in recent years, in addition to service providers, NETSCOUT Arbor have found that companies from all sectors have become users and customers as they too have become targeted directly by DDOS cyber criminals.
The CSM-ACE event where we met Tony is organised by Cyber Security Malaysia (the agency tasked with Malaysia’s cyber security defence strategy). We wondered whether NETSCOUT collaborates and help governments by sharing their own expertise with them. First Tony explained that DDOS at a national level is an important issue. He has no evidence, but like many others, Tony personally feels that state the sheer scale of some DDOS attacks means they are very likely to be state-sponsored acts. He then pointed out how a really coordinated attack on a power station (as an example) can be more than disruptive, it could actually be dangerous for citizens.
To this end he explained that NetSCOUT has a large team of security engineers they refer to as ATLAS who are constantly collating intelligence around threats and sources of DDOS attacks. Their work is available on a chargeable basis to companies who can subscribe to the ATLAS Intelligence Feed. Sometimes however, NETSCOUT share some of this information with governments on a goodwill basis. Tony told us, they can’t simply share everything and give up their commercial trade secrets, but where they think it is important they will share information with governments for the greater good.
We all know that DDOS attacks cause disruption, but we wanted to know if Tony could provide any answers as to WHY people might want to cause this disruption. Tony feels that while some may just get “a kick” out of bringing a server of service provider down, in most cases there is a more sinister reason.
In Tony’s view DDOS was the original ransomware. Cyber Criminals have been able to use the threat of a full-scale DDOS attack to extort ransoms from the targeted company. They “show their hand” and prove on a small scale what they can do, and threaten a full-scale attack unless a ransom is paid. According to Tony this has been going on since before the rise of ransomware as we know it today.
Another reason why DDOS attacks may happen is industrial and competitive sabotage. Tony couldn’t provide a named example, but he did suggest that in an industry like online gaming people suspected that one company might instigate a DDOS attack against their competitor. For online gamers if one site is not available they will look for another site on which to play.
The third reason Tony gave is Distraction. For instance by hitting a stateful device like a firewall a cyber criminal can divert the “eyes” of the security team to that device, leaving other areas of the network open to exploit.
NETSCOUT Arbor has been helping customers deal with these threats for years. Tony has seen the threat evolve and as it has done so he has seen his company keep pace with the changes. He does not doubt that the threat is here to stay and will continue to reinvent itself. As he keenly pointed out, “Just look at IoT Botnets, they make it easier to create massive volumetric attacks larger than we have ever seen before, it’s no surprise that the largest DDOS attack ever recorded happened this year.”