On the flipside of the bandwidth boom in South Africa, there has been a significant increase in Distributed Denial of Service (DDoS) attacks at an application level in the country, says Fortinet.
By Perry Hutton, Regional Director Africa, Fortinet
Until recently, distributed denial of services (DDoS) attacks were complex to launch and appeared to target mainly high profile organisations and websites. But this has all changed. Now everyone is at risk.
A DDoS attack, in which services of a host connected to the internet are suspended, can be generally classified into two categories:
- Volumetric attacks: Flood attacks saturate network bandwidth and infrastructure (e.g.: UDP, TCP SYN, ICMP).
- Application-layer attacks: These attacks are designed to target specific services and exhaust their resources (HTTP, DNS). Because they use less bandwidth, they are harder to detect. The ideal situation for application-layer DDoS attacks is where all other services remain intact but the webserver itself is completely inaccessible.
Now, anyone connected to the Internet is a possible target. Recent highly visible attacks included many politically-motivated attacks, state-sponsored cyber warfare, social activism and organised cyber crime, often driven by the easy availability of DDoS tools and botnets for hire.
People often assume only ISPs and webservers can be targets, but targets also include other services, such as mail servers, firewalls, VoIP gateways and file-sharing. Victims may include financial institutions, e-tailers, gaming sites, SaaS, government, critical infrastructure, cloud providers and popular sites. For example, Independent Newspapers subsidiary IOL recently fell victim to a DDoS attack, for which a group calling itself Anonymous Africa claimed responsibility. The group tweeted it had taken the site down over IOLs alleged support of Robert Mugabe.
The cost of DDoS
The biggest risk to an organisation from DDoS attacks is the potential loss of data and the negative impact from downtime. When online retailers go offline, they lose revenue; when trading systems are attacked and cannot trade, they lose revenue. Companies and organisations that have their websites defaced or taken down can suffer substantial damage to their brand and image.
In addition to lost revenue due to downtime, there are also costs related to IT analysis and recovery, loss of worker output, and possibly also financial penalties from broken service level agreements.
It used to be quite an undertaking to launch a DDoS attack, requiring sophisticated tools and many collaborators. Now, however, with the prevalence on the Internet of ready-mades DDoS tools and botnets-for-hire, effectively executing a DDoS attack is very easy and possible at low cost. Hence we expect to see sharp increase in DDoS attacks coming from many various sources.
Setting up a defence
In this changing environment, it is essential that organisations put the right multi-layer defences and DNS server protection in place, as well as drafting a response plan, to guard against DDoS attacks and their impact on the business and its reputation.
A multi-layer strategy is crucial in DDoS protection. This includes dedicated on-premise solutions to defend and mitigate threats from all angles of the network. These tools should provide anti-spoofing, host authentication techniques, packet level and application-specific thresholds, state and protocol verification, baseline enforcement, idle discovery, blacklists/whitelists and geolocation-based access control lists. Solutions should not only detect application-layer DDoS attacks and efficiently block common, generic or custom DDoS attack techniques and patterns, but should also have the ability to learn to recognise both acceptable and anomalous traffic behaviour patterns based on traffic flow.
As part of an overall defensive strategy, organisations must protect their critical assets and infrastructure. Many firms maintain their own DNS servers for Web availability, which are often the first systems to be targeted during a DDoS attack. Once DNS servers are hit, attackers can easily take down an organisations Web operations, creating a denial of service situation. DNS protection solutions available on the market today can protect against transaction ID, UDP source port and case randomisation mechanism intrusions.
Organisations also need a way to maintain vigilance and monitor their systems before, during and after an attack. The best defenses will incorporate continuous and automated monitoring, with alert systems that sound alarm bells and trigger the response plan should DDoS traffic be detected.
Its important to have granular visibility and control across the network. This visibility helps administrators get to the root of the attacks cause and block flood traffic while allowing legitimate traffic to pass freely. It also hands administrators the ability to conduct real-time and historic attack analysis for in-depth forensics. In addition, advanced source tracking features can help defensive efforts by pinpointing the address of a non-spoofed attack, and can even contact the offenders domain administrator.
Fortinet is a worldwide provider of network security appliances and a market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Our customers include enterprises, service providers and government entities worldwide, including the majority of the 2012 Fortune Global 100. Fortinet's flagship FortiGate product delivers ASIC-accelerated performance and integrates multiple layers of security designed to help protect against application and network threats. Fortinet's broad product line goes beyond UTM to help secure the extended enterprise - from endpoints, to the perimeter and the core, including databases and applications. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world.
011 326 4311
Red Ribbon Communications
Tel: +27 (0)22 433 4914