Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

It's time to research new ways to fight DDoS attacks

David Geer | April 7, 2015
Research shows a majority of enterprises leave DDoS protection to network-servicer providers, web-hosting services or internal resources. But these aren’t the only options for shielding your organization.

Case in point, massive botnet attacks that foreign hackers perpetrated from September of last year through at least February globally recruited IoT devices as well as x86 servers running Linux.

Based on the attack source code, the command and control IP addresses, and the payload, these botnet attacks appeared to be a new attack vector for spreading an ELF DDoS'er threat variant, according to a blog post from members of the anti-malware group called "Malware Must Die!" in Germany, who first uncovered these attacks.

Here is the story of one series of these attacks: On Nov. 15, 2014, a botnet hit FireEye servers using brute force SSH attacks, according to "Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited", FireEye. By the close of January, the botnet had attacked each server with almost 1 million login attempts, according to FireEye. During this period, the attacks accounted for nearly two-thirds of traffic to Port 22 on those servers, according to FireEye data.

According to FireEye, the China-based culprits behind the attacks, Hee Thai Limited intended the SSH brute forcing campaign to infect systems with the XOR.DDoS malware. Unlike most DDoS bots, XOR.DDoS is multi-platform, enabling attackers to recompile the C/C++ source code to target many platforms, so far at least 41 different platforms, according to FireEye.

Why NSPs, Webhosts and internal resources aren't enough
Some large NSPs such as big telcos have cloud-based tools and services to re-route and scrub customer traffic to remove DDoS attacks. But where enterprises use two or more Internet providers to satisfy regulatory requirements for example, all these NSPs must be able to combat today's vast and complex DDoS attacks.

"Not all large telcos have efficient protection against these sophisticated layer-7 attacks," said Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Labs.

Since large, overwhelming DDoS attacks--those that use more bandwidth than an enterprise has available--require solutions with a lot of bandwidth that is specifically targeted to the issue, webhosts, IT departments, and enterprise management are also unprepared to filter out DDoS traffic.

"When bots act like real users, such as with making login attempts, businesses must have extremely granular tools and accompanying experts to detect and filter out sophisticated DDoS attacks while ensuring a low rate of false positives," said Vigovsky. These layer-7 / application layer attacks can be too complex for NSPs that don't have the proper resources.

Mitigating the morphing DDoS botnet attack landscape
Specialists dedicated to anti-DDoS protection are an alternative to big telcos. There are several firms in this field such as Kaspersky Labs, Corero Network Security, Imperva's Incapsula, and Akamai's Prolexic. Such anti-DDoS providers should have cleaning / scrubbing centers, anti-DDoS experts, and anti-DDoS as a core business, said Vigovsky.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.