Cybercriminals Using DDoS As Smokescreen, Experts Warn

Organized cybercriminals are increasingly carrying out denial of service attacks as a tactic to cover up their more nefarious activities, according to a warning from systems integrator Accuvant.

Increasingly available automated DDoS attack toolkits give cybercriminals an easy way to tie up system resources and often disrupt IT teams who are dispatched to remedy the problem and get critical applications back online. Attackers are increasingly using DDoS as a smokescreen, warned Craig Treubig, managing principal consultant at Accuvant.

"These events cost organizations large sums of money in the form of service-level agreements, service interruptions, and credit protection for clients affected by an attack against the enterprise," Treubig wrote in his recent analysis of the threat.

[Related: 5 Reasons DDoS Attacks Are Gaining Strength ]

id
unit-1659132512259
type
Sponsored post

The attacks can be costly to unprepared businesses, Treubig said. Expenses for an initial attack begins at $100,000 and the costs add up per hour during mitigation until the attack is fully resolved, he said.

Experts have documented the largest distributed denial of service attack ever seen earlier this week, with the volume coming in at 400 Gbps at its peak. Matthew Prince of website hosting provider CloudFlare said the attack was reported Monday and involved more than 4,500 servers in what is called a Network Time Protocol (NTP) server amplification attack. It is one in a series of high-profile DDoS attacks conducted against U.S. banks and a large 300-Gbps attack last year against Spamhaus, a nonprofit antispam blacklist provider. The alleged attacker in the Spamhaus DDoS campaign has been apprehended by authorities.

Prince said he is optimistic that network operators will address the infected NTP servers used in the latest attack. He warned that the latest attack technique could theoretically be amplified to greater peak volume.

Accuvant's Treubig said that government agencies, businesses in the oil and gas industry, manufacturers, health-care organizations and higher education may be at increased risk for more-complex blended denial of service attacks. The industries are often pursued for their intellectual property or research information, Treubig said.

Solution providers told CRN that they have been working with clients on ways to ensure they are prepared for denial of service attacks. Appliances such as firewalls often are not properly configured to handle a DDoS attack, despite having capabilities to filter out malicious traffic, the said. In addition, most clients are concerned about system availability, not an underlying cyberattack associated with the denial of service activity. However, last year, Dell Secureworks published a report documenting ACH fraud at some banks and credit unions tied to DDoS attacks. In one attack, cybercriminals fraudulently transferred $2.1 million from a bank account. The transfers often go to banks located in Russia, Cyprus and China.

In a recent interview with CRN, researchers at Burlington, Mass.-based DDoS protection vendor Arbor Networks said they were tracking the rising number of sophisticated application-layer DDoS attacks. Some businesses rely on their upstream ISPs for protection, but that can often result in some disruption, they said. The company issued recommendations to network operators this week to help reduce the threat posed by amplification attacks.

"Network operators, including the various categories of ISPs as well as enterprise network operators, should routinely scan their IP address space for insecurely configured services that can be abused by attackers, and then work to notify the operators of such services and remediate them," the company said about the latest high-profile attack. "In general, anti-spoofing technologies deployed at customer aggregation edges and/or access edges of wireline and wireless broadband access networks, hosting/co-location Internet data center networks, and enterprise networks would prevent attackers from launching spoofed attacks of any kind."

PUBLISHED FEB. 14, 2014