The FBI has issued a warning to businesses that there are increasing risks of DDoS attacks, having identified new ' threat vectors' which increase the risk and potential severity of attacks. So what does this mean?
DDoS stands for 'Distributed Denial of Service' which in simple terms of a malicious attempt to disrupt normal traffic to a website or server, causing a temporary disruption to business practices and operations. It is often described as akin to a traffic jam, with too much traffic clogging up the ingress and egress to a site. It might not sound like much, but often, that traffic represents a business's productivity, output and potential sales, with conservative estimates placing the average cost of an attack at $120,000 dollars for a small business and as much as $2 million for a large-scale operator. Time, after all, is money, so the longer your site or operation is down, the more costly that time is going to be.
So how does an attack work?
There are several different types of DDoS attacks, but fundamentally, legitimate devices are infected with malware or hacked, turning each individual device into a 'bot'. The hacker/attacker then has remote control and access to the device and can use its operating capacity to target their ultimate intended victim. The computer is used to attack the IP address of the intended victim, and the DDoS works by harnessing the power of a lot of 'bot' computers at the same time, to all make requests to the same server and to overload the 'victim' with traffic. In response, the victim's website or webserver collapses and although this might be for only a few hours, the loss of productivity and revenue has already happened, and often the effects last much longer and need significantly more technical support.
So what is the FBI warning about?
In simple terms, the FBI is warning about the 'amplification' of DDoS attacks - the ability to create more overwhelming, faster and more impactful attacks, by exploiting security vulnerabilities in other services. Basic DDoS attacks rely on a network of individual devices, but these amplified attacks take aim at much larger scale operating systems, designed to help businesses carry out their day-to-day activities, in order to gain access to and exploit much larger operating networks and therefore launch bigger, faster attacks. Ultimately, having identified one of these potential pathways, the hacker sends a small number of requests to a server, prompting the server to respond with even more requests, which are ultimately directed to the intended victim, using a spoofed IP address.
In their written warning, the FBI writes “A DDoS amplification attack occurs when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim. Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources,”
Examples of these type of amplification attacks are relatively recent, but no less threatening, including the exploitation of the Constrained Application Protocol (CoAP) in December 2018, the Web Services Dynamic Discovery in summer 2019 through which 130 separate attacks were launched, and the Apple Remote Management Service (ARMS) in October 2019.
How can you help combat the risk?
There are five key steps that every organisation should take to help minimise the risk that they are subject to or used in an attack of this type. These are to:
- Register with a DDoS mitigation service, whose role it is to help protect you from known attacks
- Update all default passwords on any device your company owns, accesses, or uses, so that they aren't easily exploited. As an extra tip, you should also make sure your team is using robust, quality passwords.
- Implement and use multi-factor authentication wherever you can, helping to ensure that devices are not accessed by unauthorised users
- Make sure all devices are up to date and have all current security patches and antivirus installed
- Add a network firewall that blocks access to unauthorised IP addresses.