Security
 | 5 min read

FOUR questions about DDoS attacks answered

By  Kordia,
 14 September 2020

Computer keyboard with glowing codes, programming concept

Unsure how DDoS attacks are launched, or what precautions you should be taking for your business? We answer the top four questions our cyber security experts have fielded in the past few weeks.

What are the DDoS attacks I’m seeing reported in the media?
Several high-profile New Zealand businesses have recently been targeted by a campaign of sustained distributed denial-of-service (DDoS) attacks. Organisations affected include NZX, the MetService, several banks and media outlets Radio NZ and Stuff.


A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming it with a flood of Internet traffic. This is achieved by utilising multiple compromised computer systems as sources of attack traffic. These infected systems are typically computers and servers, but are increasingly including other internet connected devices, such as IoT and mobile phones. Hackers exploit devices by infecting vulnerable systems through phishing attacks, malware or other mass infection techniques.

 

Many owners of these machines are completely unaware their systems are being used to launch an attack.
Imagine if someone directed thousands of cars down Auckland’s Southern Motorway at rush hour, creating a monster traffic jam that clogs up the highway and prevents regular traffic from using it. This is essentially what a DDoS attack does.


These attacks can take down your website or internet facing infrastructure, causing serious disruptions and compromising your ability to keep your business going. Regular customers and legitimate web traffic may not be able to access your site or systems, which can be extremely frustrating.


Why are these attacks happening?
The likely perpetrators of the DDoS attacks impacting New Zealand are cyber criminals looking to extract payment from their victims. These attackers typically send a ransom note first, threating to attack if their demands for payment are not met.


The attackers then strike, targeting infrastructure until it’s taken offline or the ransom is paid, or until they simply run out of patience. They may try and target different system aspects such as a website, a data centre or an internet provider’s infrastructure, to see what gets the best response.


These attackers thrive off fear. No doubt the choice of high-profile targets was deliberate, to send a warning to future victims – like shooting a rifle in the air. There have been reports of secondary DDoS targets being sent a ransom message from hackers along the lines of “unless you pay up, you’re next”.


DDoS attacks can also be a distraction method. By sending overwhelming traffic to one area hackers can draw the focus away from the main target, which may be a vulnerability or backdoor, and quietly use the ensuing chaos to slip into your networks unnoticed. From here hackers can take over your network or steal your data.
The attackers behind the current campaign in New Zealand appear to be quite sophisticated. Their behaviour suggests they’re undertaking reconnaissance to find worthwhile targets, then launching DDoS attacks based on the response.

How do you stop these types of attacks?
You can’t stop a DDoS attack per se, but there are things that can be done to mitigate disruption.
One technique is called “blackholing”. Blackhole mitigation involves removing the target IP address from local and upstream routing tables temporarily. A great analogy for blackholing is to think of it as removing your letter box so the postman can’t deliver any mail – attackers simply won’t have anywhere to send their malicious traffic. It can be possible to change the address more permanently in some situations, particularly for prolonged attacks.


Another solution is called “scrubbing”. This works by taking traffic destined for your IP address and redirecting it to a special datacentre, where the malicious traffic is “scrubbed” or isolated from the legitimate traffic and “cleaned”. Only clean traffic is forwarded to the intended destination. A typical scrubbing provider will have multiple global datacentres and large bandwidth, sometimes more than 350Gbps. If you are facing a DDoS attack, you can enlist a scrubbing service to redirect your traffic to the closest scrubbing centre to be cleaned.
Is a DDoS attack really that bad?


While the examples we’ve seen here in New Zealand appear to be typical of what we would expect from a DDoS attack, the scale seems to be fairly large. Many businesses would be disrupted from this type of attack, so it’s unwise to underestimate just how serious this activity can be. Kiwi businesses shouldn’t be complacent by thinking it won’t happen to them. If Amazon’s AWS could be taken down by a DDoS attack in 2019, it’s fair to say no one can be 100% immune to this cyber threat.

The criminals behind this attack appear to have significant resources considering they targeted an organisation of national importance. The fact that the GCSB have jumped in to help shows how serious and real this is.

What should I do if I think I’m going to be targeted?
The NCSC has put together a great checklist for businesses to prepare for a DDoS attack.
The key is to speak to your internet and cyber security providers and make sure they have the capabilities in place to mitigate an attack. Ask if they offer blackholing and if you’re covered for it. You may also want to enquire about scrubbing services.


To be prepared, partition your critical online services (e.g. email) from those more likely to be targeted (e.g. your website and hosting) ahead of time. This will make it less likely you lose control of multiple systems if one is overwhelmed. Likewise, preparing a static version of your website that requires minimal processing and bandwidth will help you maintain continuity of service should the worst happen.


Also check your business hasn’t being compromised by attackers who could use your systems for a DDoS attack somewhere else. Some cyber security providers offer detection capabilities to identify a malware infection for systems within your network.

 

Kordia offers blackholing services for all our internet customers, and Aura Information Security is on hand to give you the best advice if you have any concerns about DDoS attacks impacting your business. Through our partner Redshield we can offer options for scrubbing solutions. Talk to our team about how we can help your business prepare.