Hackers Using DDoS to Distract Infosec Staff

Hackers are increasingly using DDoS attacks as a kind of 'smokescreen' that helps them carry out data breaches.

Your organization is more likely to come under a distributed denial of service (DDoS) attack than ever before, according to a new report. But if you end up on the receiving end of a DDoS attack, that may be the least of your worries.

That's because hackers are using DDoS attacks as decoys to occupy security staff while they attack their networks and steal data, according to Susan Warner, a DDoS product specialist at cloud-based DDoS mitigation service provider Neustar.

Presenting the findings of her organization's latest DDoS Attacks and Impact Report at the recent InfoSecurity Europe 2014 conference, she said, "These attacks are increasingly being used as a smokescreen. If a company is caught flat-footed by the DDoS attack, IT staff are tied up in the moment of crisis. That is an ideal opportunity for hackers to attack."

DDoS attacks are typically thought to be carried out for one of four reasons: for fun - by mischievous hackers or script-kiddies; for revenge - perhaps by a disgruntled ex-employee; to try to make some political or social point; or to try to extort money from victims in exchange for ceasing the attack.

But, said Warner, if you are a criminal then why bother getting involved in extortion if you can use the DDoS attack as a smokescreen while you go in and steal IP and other valuable data?

DDoS Link to Data Breaches

It turns out that 55 percent of all DDoS targets in the report were also victims of security breaches where attackers stole funds, customer data or intellectual property. In just under half of cases, the victims had viruses or other malware installed or activated on their systems during the DDoS attack.

It's usually not possible to prove that the perpetrators of the DDoS attack were also those responsible for the network infiltrations, but it seems likely that the two would be connected. It's possible, of course, that once a company comes under a DDoS attack other hackers take advantage of this to attack as well. This is less likely, though, given that just over three quarters of all attacks last less than a day.

That gives little time for opportunist "third party" hackers to carry out reconnaissance and successfully breach perimeter defenses -- especially as the victim is under a DDoS attack, making it hard, by definition, for these hackers to reach the victim's network in the first place. (The perpetrators of the DDoS attack can launch hack attacks during lulls, which they can time as they please.)

So if your company comes under a DDoS attack - and about 60 percent of companies do come under attack every year according to the report - is there any way of telling if the attack is a smokescreen for other hacker activities?

Warner recommends watching for two warning signs:

Shorter, more intense DDoS attacks: criminals who use DDoS as a smokescreen don't need to disrupt your business for a long time. But they do need to make the attack intense enough to try to make your IT staff drop everything and concentrate on mitigating it.

Lack of extortion or political demands: If there's no ransom demand or call for some action to satisfy a socio-political cause, that might indicate that the perpetrators are using the DDoS attack as a smokescreen. But they could also issue demands as a further smokescreen, so don't fall into the trap of believing that just because they have issued demands they are not also working away behind the scenes to breach your network.

When it comes to defending against DDoS attacks, the fact that some may be smokescreens for other type of attacks has important security implications.

Human Resources

The most important of these is not to let your IT staff become focused on mitigation to the extent that they take their eye off the ball when it comes to the rest of your corporate security, warned Warner. "You need someone (or a team) to deal with the DDoS attack, and someone else (or another team) worries about everything else."

It's also important not to underestimate how many people may be required to mitigate a DDoS attack. The number of attacks that required more than 10 people in an organization to "put out the fire" more than doubled between 2012 and 2013, according to the Neustar research.

DDoS Now Shorter, More Intense

One particularly interesting finding of the report is that DDoS attacks appear to be getting shorter in duration. In 2012 63 percent lasted less than a day, whereas last year that number was 77 percent. And while 13 percent lasted more than a week in 2012, that number fell to less than 3 percent in 2013. That's another clue that smokescreen attacks are on the increase.

Another interesting tidbit: In 2013 the number of DDoS attacks that involved a bandwidth of between 1Gbps and 5Gpbs almost trebled, although the vast majority were less than 1Gbps. Attacks that use DNS responses to amplify traffic volumes are making it easier than ever for small-time hackers to launch very large bandwidth attacks.

DDoS Mitigation Tips

The best way to cope with a DDoS attack is to be prepared for one before it happens. Here are four important preparations:

• Nominate a DDoS leader in your company who is responsible for acting should it come under attack
• Ensure you understand your typical inbound traffic profile so you can recognize when you are coming under attack as soon as possible
• Have emergency contacts for your ISP or hosting provider in hand
• Put a DDoS plan in place with your ISP or host, so that it can begin mitigation or divert your traffic to a mitigation specialist with a minimum delay