Nov 17, 2011

Happy Holidays: 5 Ways to Use DoS Testing to Thwart Cyber Extortion

by Pam O'Neal

dos testingIn the dramatically titled Fatal System Error, Joseph Menn tells the story of a young hacker who, in 2004, helped protect American online-betting businesses from a gang of Russian hacker-extortionists. The essence of their threats: “pay up or we’ll hit your servers with a Denial of Service (DoS) attack rendering your online gambling site unusable.” Attackers would fire a warning shot, launching a sample attack prior to a holiday or major event, and then demand a payment to ensure it wouldn’t happen again.

It didn’t take long before the businesses succumbed and paid the price to continue operating. Clearly the threats made for a very successful, albeit illegal, business model for organized criminals. By 2005, extortion via threatened DoS attack was widely recognized and “on the rise” according to Computerworld. AT&T’s cyber security chief, Ed Amoroso, concurred, saying, “Extortion is happening enough that it doesn’t even raise an eyebrow anymore.”

The Cost of Cyber Extortion

Six years later, online businesses still fear these threats, with little confidence in the DoS mitigation and security measures put in place to protect them. This is especially true for Internet retailers, the latest victims of hacker-extortionists. Internet retailers have a small window to “get it right” when it comes to hardening their resiliency to DoS or DDoS attacks. And the post-Thanksgiving Cyber Monday is part of that small window.

Internet Retailer, a source for all things e-commerce, posted a very thorough piece on the threat. The article details an attack last month where the attacker demanded $3,500 per day to stop flooding the victim’s site. Additionally, the article reveals how Akamai, a content delivery network that this year launched a service aimed at absorbing Denial of Service attacks, had five of its large online retailer clients attacked around Thanksgiving 2010.

5 Ways to Thwart DoS Extortion This Holiday Season

As we approach the holiday season once again, we know attackers will choose these crucial shopping periods to launch assaults. This year, with consumer spending down and new DoS mitigation tools at their disposal, it's time to fight back. And BreakingPoint is playing the role of Santa, giving you new gifts to test your defenses against a wide range of sophisticated application layer and brute-force attacks. Check out this list of five DoS testing goodies:

#1 - Attack the Victim

Going on the attack is the only way to know if mitigation measures will actually work when needed. While BreakingPoint products can be used to emulate just about any type of DoS attack for this purpose, we recently added more than 30 canned DoS and DDoS attacks to our portfolio of 30,000 live security and malware attacks. This allows you to set up and attack yourself with sophisticated Denial of Service attacks with just a few clicks. Alternatively, BreakingPoint professional services will launch these attacks from our own location targeting your network to ensure you can withstand everything cyber criminals throw at you.

#2 - Combine Application Load and Attacks

DoS and especially DDoS testing engagements best demonstrate the unique value delivered by BreakingPoint products because they require massive load containing application and, at times, security traffic. Using BreakingPoint’s Application Simulator, it takes just a few clicks to generate massive amounts of real application traffic with any number of combinations from a library of over 150 unique protocols. This is important when it comes to simulating the increasingly dangerous application-layer DDoS attacks such as Slowloris and Rudy.

#3 - Test with Application-Layer Attacks First

Application-layer attacks can affect many different applications with the goal of exhausting the resource limits of Web servers. Often, they target a specific Web application by making requests that tie up resources deep inside the network. Application-layer attacks are also more efficient than TCP- or UDP-based attacks, requiring fewer network connections to inflict damage. They are also harder to detect because they don’t involve a large blast of traffic; they look just like normal network traffic.

#4 - Use Security Testing to Execute Advanced Attacks

BreakingPoint’s Security component also allows you to create very specific attack sequences that are typically executed at lower rates but require a much higher degree of detail from a reporting perspective. As always, it is best to use a combination of BreakingPoint’s Application Simulator and Security components to avoid the serious shortcomings of PCAP replay testing.

 

#5 - Test Using a Wide Range of Attacks

BreakingPoint's Application and Threat Intelligence research team delivers new applications and attacks frequently to keep your test bed current. The team also provides pre-configured Denial of Service attacks to evaluate your defenses against the latest known techniques. Some of the most recent additions to the product include application-layer, VoIP and brute force attacks such as:

1. TCP Segmentation Flood 2. HTTP Fragmentation Attack
3. SlowLoris Attack 4. SlowPost Attack
5. SSL Renegotiation Attack 6. Random Recursive GET
7. UDP Flood 8. DNS Flood
9. VoIP Flood 10. IP Fragment Attack
11. IPv6 NDP Exhaustion 12. IPv6 Extension Header Fragmentation Attacks

 

While following these tips will not ensure a bulletproof defense against attack, it will help you harden overall defenses and provide essential insight for preparation, planning, and selecting the right DoS mitigation provider.

Related Resources:

Service: DoS Testing Service

How-To Guide: DDoS Attack Simulation

Blog Posts and More: DoS Testing Resources

blog comments powered by Disqus