DDoS attacks are becoming increasingly popular. What threat do they actually pose and what are the consequences?
DDoS attacks are a globally popular method among hackers to harm large companies. But not just them - for example, in the Czech Republic, several attacks have been carried out on the websites of ministries and the police. What consequences can they have? And is there a way to defend against them? We asked Jan Zmítko, a long-standing digital security expert at Trask.
Hi Jan, it's probably a well-known topic, but can you remind us of what exactly a DDoS attack is and how it works?
A DDoS (Distributed Denial of Service) attack is a form of cyber-attack that involves overwhelming the target system or network with a large volume of requests. This attack is distributed, meaning that the attacker uses more than one source (for example, a botnet, or a group of infected devices) to send these requests, thereby exhausting the available resources of the target system and preventing legitimate users or services from accessing it. The goal of a DDoS attack is essentially to disrupt operations and cause the unavailability of a service or network.
Recently, we have recorded an increase in these attacks, for example, at ministries and IRS components. Why are these institutions unable to defend themselves against such attacks?
I wouldn't directly say that the named institutions are unable to defend themselves against such an attack. It is necessary to consider what DDoS attack protection looks like. In other words, it often lacks economic sense to spend significant financial resources on sophisticated protection against a DDoS attack compared to the short-term unavailability of websites. Also, I do not presently have information as to whether these attacks also concerned other web services.
Speaking of the public sector, do you think there is a lack of "IT people," or are outdated technologies the main problem?
It is impossible to generalize the situation across state institutions. Currently, most state-run public services are operated in isolation by individual ministries and other public authorities. I firmly believe that ongoing initiatives will lead to change in this direction. For example, I should mention the activities of NAKIT (National Agency for Communication and Information Technologies) and their "DCeGov." But back to the question - there is a shortage of qualified IT professionals across both the private and public sectors. The ability to defend against a DDoS attack is not directly related to the age of the technologies used.
So, what are the real impacts of such attacks, and should service users be afraid of losing any sensitive data?
The impact of a DDoS attack depends on the attacker's goal. If the only goal is to limit service availability, it is not an issue in terms of data protection. Simply put, if the police website is not available for some time, what happens? Citizens cannot find the important contacts and information published there quickly.
But if your bank's website does not work, you won't be able to make payments or use your banking identity, for instance. Unfortunately, there are also DDoS attacks where the attacker tries to get servers into an abnormal error state, thereby obtaining information for further continuation of the attack or directly exploiting detected vulnerabilities. In these cases, DDoS is just a smokescreen for a more sophisticated attack, where the damage can be fatal. Imagine, for example, a situation where an attacker manages to obtain a database of users of a given web service.
I understand. And will these attacks become an even bigger problem? On Telegram, for example, numerous groups offer the rental of powerful botnets that can paralyze almost any site. Do you have any experience with this?
DDoS attacks have long been at the forefront in terms of frequency and simplicity of execution. The important question is the defined goal of a given DDoS attack. If the only goal is to flood the server with communication, causing short-term unavailability, it is not too fatal an attack from a security risk perspective. If the DDoS attack is part of a more sophisticated attack, where the hacker tries to find errors in the configuration of web servers that can be identified due via DDoS, then the criticality of the attack increases rapidly.
Unfortunately, the availability of attacks as a service is still rising, meaning that we will continue to register this type of hacking at minimally the same, if not greater, frequency. We do have experience with simulation, of course, but merely because our company provides services in the field of cybersecurity, such as penetration testing. I do not have direct experience with the Dark Web, because I have never ordered such a targeted attack, as it is an illegal activity.
How much does a DDoS attack typically cost, and how frequently do they occur on the internet? Are they divided into weaker and stronger ones, for example?
The average price of similar attacks is mentioned in this statistic - we are talking about tens to thousands of dollars. Naturally, the quality changes depending on the price of the attack. Parameters such as the number of requests per second, the total duration of the attack, the geographical distribution of the botnet, or the active response to blocking the attack by active protection are worth noting. Apart from offers on Telegram, these attacks are more commonly ordered on the Dark Web. And as I already mentioned, the offer is unfortunately growing.
[.infobox]As of March 2023, premium-quality malware attack services could sell for up to 4,500 U.S. dollars per 1,000 installs via dark marketplaces or vendors. In turn, a DDoS attack on an unprotected website lasting for a month had an average price of 750 U.S. dollars.
Source: www.statista.com[.infobox]
You mentioned that "sophisticated defense" is needed, but can companies generally prepare for this type of attack in a less sophisticated way? What would you recommend as a minimum?
Simple protection of infrastructure against internet attacks is straightforward - block access from the internet. Unfortunately, this is not entirely possible in today's world, except for critical infrastructure or certain banking systems, for example. Cybersecurity is not some miraculous box that we buy. It is a very complex combination of processes and various protection elements, with detailed monitoring being an integral part. Depending on the specific service, it is possible to pay for DDoS protection from service providers. The nature of this protection depends on the architectural solution of the service.
If you are not indifferent to DDoS attack protection and do not know what to do, I recommend reading OWASP's guide to help you analyze your solution. And if your company does not have the capacity for such analysis, do not hesitate to contact us.
Author
Jan Zmitko
Cybersecurity Engineer, Trask
Contact: jzmitko@thetrask.com