Distributed Denial of Service attacks (DDoS)or Ransom-Based
Distributed Denial of Service attacks. (RDDoS) are on the increase and are becoming
more aggressive and threatening in their nature.
What exactly is a DDoS and a RDDoS and what can we do if we become
the target of an attack?
Cyber-attacks are on the increase, are becoming more threatening and are demanding more from their victims. In June 2021, the media network, Al Jazeera reported a DDoS attack designed to disrupt its network. One month later, as the US celebrated the 4th of July, hundreds of US companies were hit by a ransomware attack demanding 70 million dollars in Bitcoin. More than 200 organizations across Belgium, including the government and parliament websites and other services, were also the victims of recent DDoS attacks. These attacks are becoming more sophisticated and there is a pressing need for companies to address vulnerabilities to prevent such attacks. As more employees work remotely and our traditional business practices change, human error, unsecure home working environments may all contribute to greater opportunities for hackers. It could also be a case that the large amount of publicity for recent attacks may have emboldened more criminals to join the lucrative world of Cyber- attacking. Between January 2020 and March 2021, DDoS attacks increased by 55% and showed signs of becoming more complex, with 54% of incidents using multiple attack vectors. The technology sector was the most targeted, receiving 27% of all DDoS attacks over the past 15 months.
How a DDoS attack happens
When browsing the internet, users can unwittingly download spyware or be targeted by phishing emails and keylogging software. This interference is designed to allow hackers into the systems from where they can harvest information for fraud and identity theft to occur or to launch their attacks. In the case of a DDoS attack, hackers will attempt many different ways to find access into a system. The recent devastating attack against Irelands health system may have been due to something as simple as an employee clicking a link. A classic DDoS attack uses one computer and automated software to simply send multiple nuisance requests to the target server. This causes the victims server to overload from the strain of bogus and useless traffic blocking up the bandwidth. The hardware – websites, intranet, network – become strained, overburdened and cannot function. Legitimate traffic cannot get in or out.
A ransom-based attack, the
RDDoS, is a DDoS with an added ransom or fine to be paid either before or
during the attack. It works on the same
principles as mafia protectionist extortion.
Pay us money and we won’t mess you up! It’s a tough scenario, as the
more businesses who pay the hackers, the more they are spurred on to continue
their nasty scams. The ‘Goodfellas’ of
the internet. Ransoms are often
requested in Bitcoin and the popularity of crypto currencies has made it easier
for internet criminals to launder money and continue their nefarious schemes.
Botnets. A botnet would be a perfect name for the next generation of Minions in a Pixar classic. Sadly, they are robot networks, or botnet armies of hundreds and thousands of unwitting internet connected computers, which have been affected by malware and are under the control of a Botmaster or Botherder. These zombie botnets are accessed by the cyber criminals botmaster computer to launch the attacks on the victim’s server. The owner of these infected computers may not be aware that their computer has been compromised and hijacked to cause harm. Recently, botnets have become available for hire. For a ridiculously small amount of money and through a PayPal account, a cybercriminal can rent a botnet and for a few dollars more, arrange a cyber hit on a victim.
There are three reasons for cyber assaults. Personal motives, political motives and financial
gain. A Denial-of-Service attack will cause huge inconvenience by slowing down
the network and preventing legitimate business to continue. This results in a
loss of income and possible repair costs.
If there is no ransom attached, then the only obvious reason for the
attack is the desire to cause these difficulties for the victim company. As with all crimes, the attack may be
motivated by a grievance, or it may be as a result of perceived injustice. Hacktivists
may be making a political statement. Disgruntled employees or jealous
competitors may want to make life unpleasant.
It might also just be a random attack perpetrated by someone, simply
because they can. In the
end, financial gain is most common reason for a DDoS attack.
Types of Attack
Bandwidth consumption. The
attacker overloads the server with a large amount of traffic, requests and data
packets denying access to genuine users.
Resource Starvation/ Volumetric attacks. Resource starvation attacks are designed to
use up system resources. Processors and main memory are examples of resources
that can be attacked, as is backing storage. The flooding of traffic from the
hacker may require the same process to repeat over and over and making certain
the processor is always dealing with the same issue. The continual creation of Scripts which are
then sent to the Server, forcing the creation of accounts and using up
storage. Eventually this attack starves
the system of storage and resources.
Routing: Routing attacks is
a hijacking of the router to either reroute data packets or use another system
that pretend to be a legitimate receiver of packets so that data can be
intercepted, stolen or monitored or used for flooding bogus traffic. It can keep the router so busy that you lose
out for normal use.
DNS: Acting as the Internet’s address book and backbone of today’s digital services, it’s unsurprising that DNS is an increasingly appealing target for malicious actors, particularly as more consumers turn to websites during peak online shopping period. The Domain Name System (DNS) is the Internet service that resolves common domain names (such as www.example.com) to their corresponding Internet IP addresses when users try to connect to a website. DNS DDoS attacks are another form of flood attacks where the attacker sends a huge volume of fake DNS requests directly to the victim’s DNS server for the sole purpose of overloading it.
Is a Ransomware attack different?
Ransomware is malicious software that encrypts an organization’s
systems and databases, making them unusable. Nice, eh? Unlike a ransomware
attack, a DDoS ransom attack does not encrypt a company’s systems but seeks to
disrupt and send the victims offline by flooding the system.
Signs and Symptom of a DDoS attack
The symptoms like the hackers themselves can be unpredictable and
may vary. A DDoS attack often flags up
as a spike in traffic. If a huge surge in traffic occurs and you haven’t gone
viral on Tik Tok in the last few hours, it’s a good indication that an attack
is underway. Often a company or
organisation can be unaware of an attack until they receive numerous complaints
about a website that is slow to respond or appears to be having technical
issues or is completely unreachable.
What can be done
There is not a whole lot that can be done while you are under attack. Like most of the nasty viruses of the world, you may have to hunker down, sit it out and assess and repair the damage later. A DDoS attack can last as long as 24 hours and often in the case of ransom attacks, they continue until the hackers realise that the company is not going to pay up. (Or until they pay up!) Cloudflare continues to see a large percentage of DDoS attacks that are quite short and in 2021, 97% of all DDoS attacks lasted less than an hour. It is difficult to prevent attacks such as these as you may end up blocking legitimate traffic as well as the dodgy hackers.
It is advisable for all organisations to have a DDOS Mitigation plan prepared in the event of a cyber-attack so that you might allay some of the damage. This can include implementing a DDoS protection using an on-premises solution, a DDoS scrubbing service, or hybrid. Use both the network and web application firewalls. Having a VPN, a virtual private network, gives you an encrypted connection from your device to the network. It goes some way toward keeping data safe from unwanted attention. If your network provider is large enough, they may be able to do some ‘re-routing ‘of the traffic elsewhere. Use firewalls and intrusion detection systems to monitor and analyse traffic. An anti-virus programme should curb malware infections. Use anti-virus solutions to curb malware infections and if possible, a network-based intrusion detection system. Update and apply any security patches and putting a block on suspect IP addresses. Once the cyber-attack has ceased, an analysis of the attack may provide some patterns and identifying which countries were the source of the attack. However, finding the source of some hijacked botnets is not going to be useful when searching for the original attackers.
The pessimistic predictions from most specialists in this area is
that a cyber-attack on most organisations is now less about ‘if’ an attack will
come, and more about ‘when’. It seems that
DDos attacks can now be added to the gloomy list of expected life events of the
In Ireland, hacking is an offence under section 2 of the Criminal Justice (Offences Relating to Information Systems) Act 2017 (the “2017 Act”) and ‘denial of service attacks or ‘infection of IT systems’ is dealt with separately under section 8 of the 2017 act. In the U.S. phishing alone can carry a 5yr prison sentence and a maximum of 10 years for DDoS attacks. Long prison sentence is not a deterrent when the criminal remains at large, and most hackers do remain elusive and free. Preventative measures, vigilance and countermeasures to mitigate an attack are essential for every organisation as we come to tackle this growing threat.