In March the GitHub software development platform suffered a sustained Distributed Denial of service attack, flooding the site with high levels of traffic.
DDoS attacks are often seen as nuisances, and in this case GitHub weathered through it. But increasingly these attacks are a smokescreen for more malevolent activity including blackmail and the insertion of malware.
But they can be stopped with a little effort by infosec pros, the SC Congress conference in Toronto was told Thursday.
“People are not doing proper Web site hygiene,” Dave Lewis, global security advocate at cloud services provider Akami Technologies said. “This is a solvable problem.”
He ran through a list of vulnerabilities that aid DDoS and SQL injection attacks — which sometimes accompany denial of service attacks — that he believes could easily be plugged by patching server and application software.
Amplification attacks, for example, often rely on exploiting older NPT (network time protocol) code. “This is as solvable problem,” Lewis said. “If people had been taking the time to ensure their NTP daemons were patched and up to date, this wouldn’t exist. It’s rather frustrating.”
As for SQL injection, “if you’re not sanitizing your inputs (what people type into Web site text fields) and sanitizing your outputs you run the very real risk of people running havoc on your systems.”
In the first quarter of this year alone Akamai saw over 52 million SQL injection attacks on its network, he noted.
According to the company’s quarterly state of the Internet report, during the fourth quarter of 2014 Akamai customers reporter being targeted by 327 DDoS attacks, 57 more than the previous quarter.
By one estimate last year, DDoS attacks cost target about US$40,000 an hour they were offline.
In an interview Lewis said CISOs have to “get back to the basics and look at the stuff that we have typically gotten away from paying attention to.
“We have a bad habit of worrying about attribution (to DDoS attacks), a bad habit of worrying about what is the new zero day. We have to focus on what’s the hundred-day vulnerability. We have to focus on systems that are not patched. We have to look at what are your systems telling you, looking at the log files and understanding what is going in and out of your network. These are the real problems.”
While news reports — based on vendor press releases — often highlight suspicions of who is behind a DDoS attack, Lewis said the most prevelant authors are “bored kids. They have a lot of free time, access to the Internet and , like most kids tend to be raised on technology.”
They’ve discovered tools set up by hactivists or criminals, some of whom use crowdsourcing to get people to build DDoS suites or software as a service platforms. There they offer DDoS capabilities for under $100 a month.
“For less than a coffee a day you can cause somebody no end of grief,” Lewis said.