iGB’s new technology columnist, Vigne Kozacek of IT and telecommunications specialist Innovation Squad, provides in-depth analysis of key technology issues, starting with Distributed Denial of Service (DDoS) attack.
Distributed Denial of Service (DDoS) is an ever-increasing threat to most businesses with an online presence and let’s face it, that is especially true in the gambling industry.
The dreaded DDoS strikes fear into boards at every company with an online presence. This article provides a high-level overview of the primary components of a DDoS attack, the objective being to provide the C-suite with a basic understanding of one the most common types of internet-borne attacks, which is estimated to cost UK businesses in excess of £1bn per annum.
What is a botnet?
In order to understand what a DDoS attack is and how it is accomplished, we first need to understand the primary tool used to conduct the attacks: the 'botnet’. So, what is it?
A botnet is a network of compromised computers and, in recent, years internet-connected smart devices (also known as IoT devices, which include anything from smart watches to digital video recorders and many other devices in between). More often than not, IoT devices are created with functionality in mind and not necessarily security, the result being that they are inherently insecure.
Computers are typically compromised through emails, websites and social media. When an unsuspecting computer user clicks on a link or visits a compromised website, some software (malware) is installed on the user’s computer. Once the malware is successfully installed it will maintain regular contact with a ’command and control’ device on the internet, where it will receive instructions on which websites to attack, how to attack them and when.
In addition, malware usually contains additional ‘functionality’, as seen in the Mirai botnet in 2016. In this case the malware had an IoT propagation-based objective which was to scan the internet for recognised IoT devices and install itself onto the discovered devices, further expanding the number of devices under the botnet’s control. A typical botnet can contain any number of devices from tens to tens of thousands.
An attack can be intensified by instructing a greater number of devices on the botnet to attack a website at the same time. However, as you will see from the information below, a disruptive attack does not always require thousands of machines and is dependent on the type of attack being conducted.
It is worth highlighting at this point that a recent study conducted earlier this year by security company Neustar showed that a botnet can be hired for less than US$20 per day.
What is a DDoS attack?
A Distributed Denial of Service attack is the transmission of apparently legitimate messages to public facing web servers. The goal being to flood the internet connection or overwhelm the various devices used to deliver a company’s internet-facing services (i.e. routers, firewalls, web servers) to the point where they are no longer able to serve the website and/or its services to genuine customers.
Typically, when people think of DDoS attacks, they think of volumetric attacks which flood the internet connection to the point of saturation leaving little to no room for legitimate customers to access your online services. However, there are four primary types of attack which may be used individually or in varying combinations:
This floods the internet connection to the point of saturation, preventing new communications from legitimate customers. Like trying to drink water from a fire hose.
Devices such as load balancers, firewalls and application servers are designed to maintain the connection between the server and the customer’s device. While these devices can potentially maintain millions of connections, it is possible for them to be flooded with connection requests to the point where they can no longer maintain any more requests. This then prevents legitimate customer connections getting through.
Typically, internet traffic is sent in bite-sized chunks. These chunks are collected and placed in the correct order and then reassembled for onward forwarding by devices in the company’s web infrastructure (typically an internet router, which is used to direct internet traffic from a source on the internet to the correct destination –firewall, load balancer or server – and back to the original source). This type of attack involves removing some of the chunks, which prevents them from being correctly sequenced and reassembled. When a device receives too many of these unorganised chunks it eventually overwhelms the device, affecting its performance and thus preventing it from accepting or processing any more chunks.
Used to take advantage of specific aspects of internet-facing applications as opposed to hardware devices which are used to run your website or service. This type of attack can effectively prevent a website from servicing requests to legitimate customers and does not require a large number of machines to achieve that.
In the next article, I will share some tips on how best to prepare your company infrastructure for the inevitable DDoS attack. It will help to reduce the impact of an attack and reduce the overall cost of mitigation.
Vigne Kozacek has more than 25 years’ experience of managing information technology operations and business activities, predominantly in the gaming industry. With a career base including Camelot, Boylesports and William Hill, he has successfully delivered and managed positive change programmes including merger support and solution acquisitions.