Distributed Denial of Service (DDoS) attacks have started to grow in intensity and sophistication as more companies rely on web-based applications for their daily business operations. In the past few months, such attacks have become the weapon-of-choice for cyber criminals in every corner of the world because they hardly ever miss their target(s). Taking the analogy further, I would say that these insidious attacks are as precise and merciless as a DSR-50 riffle is for a trained sniper.
What makes DDoS attacks a bad dream for even the most experienced of IT admins is their distributed nature, as the very name suggests. This means that not only one, but a multitude of compromised systems (also known as botnets or bots) seize the target host with simultaneous requests through a breach in the system, which thereby becomes saturated and unavailable to user access.
Because of this traffic overload, the target system is practically forced to shut down. Denials of service can be either network-driven, when the flow of packets takes up excessive bandwidth and makes the host unreachable, or they can occur at an application layer, with multiple application calls launched concurrently.
Among the frequently-met DDoS techniques employed today, there are two types that are worth mentioning: the volumetric ‘big & dumb’ type generally considered easier to spot, as they are sudden and aggressive; secondly, hackers nowadays tend to prefer the more programmatic ‘slow Loris and headless browser’ methods, which are stealthier and more difficult to detect. These can easily wreak havoc on the targeted organization when there is no security strategy in place or when the defense systems are inefficient. In either case, it’s no easy task to distinguish an attack from legitimate traffic.
The advent of cloud-based technologies has pushed the attackers to diversify their methodology and refine their techniques to a point where they can put your entire business at risk if they manage to break in. A statement that holds true for any type of threat to bypass your firewall and security controls.
However in the case of a distributed attack, things can go awfully wrong in a matter of hours rather than days, and remediation can get extremely painful while struggling to trace the source of the breach. You lose revenue, SEO ranking, but most of all, customer confidence, which we all know how much it weighs and how challenging it can be to restore.
Cloud service providers do take these threats very seriously. As an illustration, Amazon is currently notifying their customers about a recently-discovered vulnerability in Elasticsearch v1.1 that once exploited, opens access to the underlying AWS EC2 instances. Attackers use a new version of the Backdoor.Linux.Mayday. A botnet that they execute on the targeted instances from a remote machine.
As a cloud-facing company or as an MSP, it’s generally a bad idea to assume that your hosting provider will keep your web servers bullet-proof from DDoS threats. It’s like relying on your landlord to secure your personal assets within the apartment building. Sure, the cloud service provider is entitled to make recommendations in this area and point you to preferred solutions or partners to best fit your security needs. The service provider is responsible for ensuring the necessary protection at an infrastructure level, just like it’s up to you to defend your own corporate assets in the best possible ways.
Identity and access management is one of those vital concepts in cloud security that should be core to nearly any IT operation. This concept has been around for many years now, what changes now with complex and widely-distributed platforms is the need for a centralized approach. Tools like multi-factor authentication (MFA) mitigate the risk of identity theft, while common practices like separation of duties allow administrators to delegate system operations based on granular access rights (such as the IAM role-based type of account in AWS).
These countermeasures might have made the difference for Code Spaces, a code-hosting and project management service provider with seven years in the market that was forced out of business by “a well-orchestrated DDOS” attack in less than one day. What began as a typical (and presumably manageable) DDoS attack following a vulnerability on their servers soon turned into a recipe for disaster, ending 12 hours later, after an extortion attempt.
The actor of the attack (not believed to be an employee) managed to gain unauthorized access to Code Spaces’ Amazon EC2 ‘control panel’ (which may have stored more data than the AWS management console) and attempted to extort a large sum of money from the company in exchange of the DDoS resolution.
When Code Spaces tried to fight back, the intruder was already one step ahead and started to wipe out random pools of resources. By the time they finally regained control, it was already too late, as large parts of their “data, backups, machine configurations and offsite backups” were gone.
Following the unfortunate Code Spaces event, there have been a series of notable attacks that hit the headlines and raised public concern. Three of them are highlighted as follows:
Attack #1: Presumed attack on BBC website and iPlayer rendered certain sections of the content inaccessible to BBC viewers for more than 48 hours, forcing BBC to revert to a simplified version of the homepage. Suspicions of DDoS were raised when the "engineers noticed that there was a 'severe load' on the servers underlying the video-on-demand system."
Attack #2: 17-year-old hacker attack in Norway targeted major financial institutions by exploiting a vulnerability in the “pingback” WordPress feature. What first seemed more like a teenage hoax meant to shake the cyber community, soon turned into a brutal ‘wake-up’ call for the victim corporations in the aftermath of the attack. This was actually perceived as one of the strongest hits ever seen in Norway. Alleged affiliation of the attacker to the ‘hacktivist’ group Anonymous proved to be false and the hacker was seized by the Police, declaring he regrets his act.
Attack #3: Subsequent DDoS attacks crippled Feedly and Evernote web-based services and were closely followed by blackmailing attempts to extort given amounts to end the attack. The news aggregator Feedly was hit by two waves of attack in two consecutive days, while the note-taking service Evernote was taken down by another DDoS attack for nearly 5 hours in the day preceding the first Feedly outage.
Since Code Spaces went offline in June, the identity of the attacker still remains unknown and there are as yet no new developments helping to clarify the case. Some have accused Code Spaces for the inefficiency of their “full recovery plan that has been proven to work and is, in fact, practiced", which is how they positioned themselves on what used to be their website.
Until we find out what really happened on that nefarious day and what measures were taken to prevent such an attack, one thing is certain: information security (in all its forms) is key to running any business in public cloud; it is not to be overlooked or under-budgeted and when coupled with a strong recovery plan, it could make the difference between temporary and permanent interruption of service.