Is someone planning to shut down the internet?
Pattern of attacks suggest unknown actors are testing key parts of the internet’s infrastructure - what does this mean for your business?
A security researcher has flagged an ongoing series of probing attacks on major internet infrastructure companies which may be designed to take down large sections of the public internet.
Bruce Schneier has been studying a series of DDoS attacks which he believes could be the work of a foreign cyber organisation doing military recon activities. The attacks themselves are large, sophisticated, and specifically tailored to test the capabilities of the organisations in question.
As Schneier said in a blog post: “One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure. The attacks are also configured in such a way as to see what the company's total defenses are. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. They're forced to demonstrate their defense capabilities for the attacker.”
Although Schneier said he was unable to share details of the enterprises under attack due to confidentiality clauses, his research is borne out by a Verisign report into DDoS attacks in Q2 2016, which found trends towards increased sophistication and very large volume attacks. The number of reported DDoS attacks has increased 75 per cent year on year, and their volume now peaks at 256 Gigabits per second (Gbps), an increase of 214 per cent compared to the same period in 2015, with 32 per cent of attacks hitting more than 10 Gbps. However, while 56 per cent of attacks were relatively basic UDP flood efforts, a whopping 64 per cent employed more than one attack type to stretch and test defenders.
Verisign identifies a ‘growing trend’ of what it calls ‘Layer 7’ attacks designed to probe for vulnerabilities in application code. These attacks often utilize SQL injection, a code injection technique, to attack data-driven applications by inserting nefarious SQL statements into the request entry fields for execution. These low-volume, sophisticated attacks are much harder to defend against, as it’s much more complex to filter them from normal internet traffic.
Verisign concluded: “As organizations develop their DDoS protection strategies, many may focus solely on solutions that can handle large network layer attacks. However, they should also consider whether the solution can detect and mitigate Layer 7 attacks, which require less bandwidth and fewer packets to achieve the same goal of bringing down a site.”
Of course, targeting the weakest link of an organisation isn’t exactly a new idea, and neither is targeting the application layer, a common source of critical vulnerabilities. Research from High-Tech Bridge earlier in 2016 found an astonishing 60 per cent of web services or APIs designed for mobile applications contain at least one high-risk vulnerability allowing database compromise. Interestingly, the same research found that if a website is vulnerable to XSS, in 35 per cent of cases, it is also vulnerable to more critical vulnerabilities, such as SQL injection, XXE or improper access control. Finally, the researchers found that 79.9 per cent of web servers have incorrect, missing, or insecure HTTP headers putting web applications and their users at risk of being compromised.
While Schneier is downbeat about the wider nation-state attacks: “What can we do about this? Nothing, really. We don't know where the attacks come from...” The takeaway for businesses is a little more positive. Testing for basic flaws in your enterprise infrastructure isn’t particularly costly or difficult to do (there are even free tools available, and not being one of the 79 per cent will put you at a significant advantage. As Schneier concludes: “This is happening. And people should know.”