Sophisticated DDoS Botnets Bypass Defenses

By Phil Annibale, Manager, Cyber Intelligence Division

In their quest to maximize downtime and damage, cyber criminals and hacktivists are using increasingly sophisticated Distributed Denial-of-Service (DDoS) attack methods to detect and circumvent enterprise defenses. Widely accessible DIY malware kits, such as Dirt Jumper, sell for as little as $150 in the black market and can be used to customize botnets capable of carrying out such sophisticated DDoS attacks. As the total number of DDoS attacks continues to increase, the evolution of DDoS botnet capabilities to bypass DDoS mitigation methods will likely fuel the already growing fire of DDoS attacks upon enterprises.

Traditional DDoS attack methods usually rely on a sudden surge of traffic to a targeted server, rendering it incapable of responding to legitimate traffic or operating so slowly it is ineffective. However, cyber criminals are now transitioning to a more methodical approach by using “smart” DDoS botnets to identify and bypass a target’s DDoS defenses. This approach helps cybercriminals and hacktivists avoid detection and increase the success rate of targeted attacks.

Advanced DDoS botnets are able to detect and circumvent enterprises’ DDoS defenses in multiple ways. Cybercriminals code the bots with “instructions” to enable the bots to identify, and trick, anti-DDoS cookies, redirection methods, and meta tags used for redirecting malicious IP traffic. Doing so allows the bot to avoid detection and reach the final destination to deploy its malicious payload. The attack looks for a “Set-Cookie” or a “Location” header and will parse out either the cookie value or new URL location and use those values in the next packet it sends. It may also look for a meta equiv refreshtag, location= or document.location.href inside of the response from the server, as reported by Arbor Networks’ ASERT team.

According to estimates by Forrester, a 24-hour outage due to a DDoS attack can result in a loss of around $27 million, or $2.1 million for a four-hour website outage, and financial services firms lost some $17 million per DDoS attack in year 2012. Transitioning from traditional DDoS attack methods to the use of sophisticated DDoS botnets requires enterprises to revise their defense strategies and make better use of threat intelligence to reduce their susceptibility to such attacks.