Understanding the DDoS malware threat


Distributed denial of service (DDoS) attacks have become notorious in recent years, as they are one of the most commonly used approaches to bringing down the web servers of high-profile targets such as banks and credit card companies. The attacks, which generally flood targets with so much traffic they cannot handle legitimate requests, are increasingly the product of malware, and, while they are most well known for taking down major websites, represent a threat to a range of organizations.


The potential danger of a DDoS threat was recently brought to light in an attack on Swedish spam protection agency Spamhaus, which involved as much as 300Gbps of traffic. While initial reports that the attacks slowed down entire sections of the internet appear to have been overstated, the incident is the largest on record, coming in at around three times the size of the previous largest attack, according to an Arbor Networks blog post. The attack leveraged open DNS servers, which will accept and respond to queries from outside their own domain, to flood Spamhaus with far more traffic than a traditional botnet.


“The Spamhaus attacks have attracted some long-overdue attention to the problem,” Computerworld senior editor Jaikumar Vijayan wrote in a recent column. “Several security experts are hoping that this will finally get more ISPs and DNS server operators to configure their systems more securely to prevent them from being co-opted into similar attacks in the future. It would be a pity if … over enthusiasm in talking about the story diverts attention from the bigger security issue at stake.”


What are the bigger issues?

As Arbor Networks noted in a recently released white paper, attackers are diversifying their techniques. While “flood” attacks such as the Spamhaus incident are still common, cybercriminals are also using new approaches such as application-layer attacks that are designed to evade security devices and phishing to install malware. Even as security experts work to lock down open DNS servers, hackers are moving on to using malware that conscripts machines in compromised networks to serve as botnets for DDoS attacks.


Malware dedicated to this purpose is both prolific and cheap to obtain, but the consequences can be financially substantial. A recent study found that organizations often spend as much as $6,500 per hour to recover from DDoS attacks and $3,000 a day to recover from malware infections. These costs do not include revenue losses due to system downtime.


Detecting DDoS malware is relatively easy when it first infiltrates a network, given the right tools, but catching this malware once it has bypassed security controls and hidden itself in system memories can be much more difficult, Arbor Networks noted. Organizations should look to adopt tools that will help them avoid letting their networks become part of a botnet. Additionally, they should ensure DNS servers are configured to avoid being co-opted into an attack. At the same time, they should enact solutions that can help protect them should they become the target of a DDoS attack. Working with a managed IT services provider, companies can develop a custom security solution that protects their network and systems from internal and external threats.