For more than a decade, attackers have used distributed denialof service attacks to disrupt their victims' operations, oftentaking organizations completely offline. The motivations behindthese attacks include notoriety, competitive advantage, cyberwarfare, terrorism, hacktivism and/or extortion. Bandwidth- orresource-saturating DDoS attacks are effective, but today they arenot the most common type of DDoS attack. Researchers are beginningto see a new motivation for the attacks they observe.

Today's DDoS attacks represent a much greater threat than therisk of an outage. Information breaches and the planting of malwareare being hidden by a new attack vector called Dark DDoS. In orderto effectively hide their tracks, attackers attempt to overwhelmsecurity and logging tiers with smaller, repetitive DDoS attacks.The smaller attacks consume considerable time, attention, resourcesand log storage without filling the pipes. While everyone isfocused on the DDoS incident, attackers are performing moreinsidious actions to breach and remain persistent in a network.

Attackers understand the kill chain in an organization. If anattacker who has compromised an internal system is detected, thesecurity team (or another automated measure) invokes a kill chainmechanism. This mechanism kills the attacker's remote access byshutting down the system, or terminating the attacker's back door.If an attacker can maintain the access undetected, it allows themto move laterally, planting malware on systems they can accesswithin a network, which often leads to a data breach or evenfraud.

Many organizations have begun to deploy advanced threatdetection technologies. These technologies use sandboxes thatexecute malware and other payloads they discover in the hopes ofidentifying the malware's intentions. Using network taps or spanports, collectors capture copies of traffic streams from variouslocations in the network, then forward the traffic to a sandbox foranalysis. If an attacker finds a way to overwhelm a sandbox byflooding it with nothing more than malware samples, the sandbox maybecome inoperable or begin to ignore new traffic samples andpossibly cause a sandbox denial of service.

Once an attacker has uninterrupted access to internal systems,using those systems to commit fraud is an easy hurdle to overcome.Attackers often install key logging malware on compromised systemsto record a legitimate user's keystrokes. This type of malwareforwards the keystrokes of anyone using the system to the attacker.Once an attacker has recorded a username/password combination thathas an elevated privilege, they can mimic legitimate users,potentially causing a great deal of damage. All of this activitymay be hidden during a DDoS attack.

What many fail to realize is that attackers understand security.Most of them are experts at firewalls, IPS, sandboxes, anti-virussoftware and other attack detection technologies. They alsounderstand how to use these systems to their advantage. Forexample, most firewalls, IPS and load balancers have some sort ofrudimentary DDoS detection in them. When attacking with a simpleSYN flood, most of these technologies will create huge volumes ofsecurity (syslog) events. However, most of these devices arecompletely ineffective at blocking DDoS attacks and end up causingnothing more than an excess of event messages. Attackers understandthat a low-volume SYN flood can create vast amounts of syslogevents, and use this to flood logging tools in the hopes of hidingtheir other activity from security teams.

Another dark side of DDoS that is growing in popularity iscalled DDoS for Ransom. This should not be confused with ransomwarethat encrypts hard drives and file systems, then prompts the victimto pay for a key to decrypt the data. Instead, DDoS for Ransomalways begins with a threat of a pending DDoS attack, most oftendelivered via email. In this case, a victim receives an emailwarning of a pending DDoS attack. The email instructs the victim tokindly deposit a number of bitcoins into an online account. If anorganization pays, word has it that it will never be extorted bythe same group again.

Nearly every organization is looking for a way to deploy themost effective DDoS defenses while at the same time reducingoperational expenses associated with these attacks. Today's DDoSattacks are easy to defeat with the proper defenses in place.

Most DDoS subject matter experts recommend a hybrid approach todefeating DDoS. This approach includes on premise DDoS defensesworking in unison with cloud-based defenses. The hybrid approach isthe only way to completely protect an organization from the threatsbeing hidden by DDoS attacks. Once the hybrid solution is deployed,organizations can rest assured that their logging tiers will beprotected from a DDoS attack and ignore the threats of DDoS forRansom from extortionists.

Stephen Gates ischief research analyst and principal engineer at NSFOCUSInternational Business. He can be reached at 408-907-6638or [email protected].