The Internet of Zombies

Since Dawn of the Dead was first released in 1978, the possibility of a viral outbreak that will turn us all into night crawling, flesh-eating zombies has become a worry for many and a very prolific Hollywood theme.

While it’s unlikely this will ever happen, industry has recently started facing an epidemic across IT systems that companies should be aware of.

The internet of zombies won’t result in the end of civilisation, but it does put your company’s confidential information at risk. Cyber security solutions provider, Radware, coined the term ‘internet of zombies’ in its Global Application and Network Security Report, 2015-16.

Radware is a global leader of application delivery and security solutions for virtual, cloud and software-defined data centres.

Internet of zombies refers to the rise of an advanced type of Distributed Denial of Service (DDoS) attack, named Advanced Persistent Denial of Service (APDoS).

APDoS attacks are fairly easy to spot. They can be identified by unusually slow network performance when opening files and accessing websites, or from the unavailability of a particular website with no alternative explanation.

Some affected users may also notice a dramatic increase in the number of spam e-mails they receive. If the attack is carried out on a large scale, these symptoms can stem across entire geographical regions.

What is APDoS?

APDoS uses short bursts of high volume attacks in random intervals, spanning a time frame of several weeks. Typically, APDoS attacks display five key properties: advanced reconnaissance, tactical execution, explicit motivation, large computing capacity and simultaneous multi-layer attacks over extended periods.

The attacks are more likely to be perpetrated by well-resourced and exceptionally skilled hackers that have access to substantial commercial grade computing equipment.

Hackers use virtual smoke screens to divert attention, leaving systems vulnerable to further attacks that are more damaging, such as extortion and theft of customer data. While the financial services sector is most likely to be targeted, almost anyone can fall victim to these highly effective attacks.

APDoS attacks involve huge network layer DDoS attacks, with focused application layer floods, followed by structured query language injections (SQLI) and cross-site scripting (XSS) attacks carried out repeatedly, at varying intervals.

Because perpetrators attack using various methods, they can use two to five strike vectors involving millions of requests per second.

This flooding technique not only attacks the victim, but any service provider implementing any sort of managed DDoS mitigation capability. The longest recorded attack to date is 38 days. During this time, attackers may switch between several targets to create a diversion and to stop defensive DDoS countermeasures.

As long as the attacker has access to powerful network resources, they are capable of sustaining a prolonged attack and generating high levels of unamplified DDoS traffic.

Who is at risk?

In 2015, more than 90 per cent of companies surveyed by Radware experienced a cyber attack. Half of these were victims of an APDoS – up from 27 per cent in 2014.

The report by Radware suggested 60 per cent of its customers were prepared for a traditional attack, but not one as sophisticated as APDoS. This type of attack is becoming increasingly common in retail and healthcare, where data is considered to be up to 50 per cent more valuable.

As IT systems across different sectors become more automated, cyber security specialists are predicting these persistent attacks will happen even more frequently.

Previous cases

In 2013, news emerged that a cyber attack caused the NASDAQ trading market to shut down for more than three hours.

The incident prompted a $10 million fine for NASDAQ but more importantly, it led to a lack of confidence in investor sentiment surrounding trading systems.

People questioned whether the structure was flawed and if dependence on technology in trading strategies and automated trading systems was too high. At the beginning of 2016, there was also a similar attack on the BBC, which may have been the largest in history.

The group that supposedly carried out the attack stated that it reached 602 gigabits per second (Gbps).

In usual cases, this figure only reaches 50Gbps. If this is correct, it would put it at almost twice the size of the previous record.

Visitors to the BBC website were unable to gain access for several hours and were instead shown an error message. It occurred because the site was swamped with more traffic than it could handle.

Could you survive?

Radware’s 2014/15 report suggested that 16.3 per cent of cyber attacks are motivated by ransom. If your company does fall victim, strongly consider whether you pay the ransom or not.

Consult a security expert to check if the attack is genuine and once the problem is solved, put mitigating measures in place. Detecting APDoS attacks requires specialised programming that sends alerts to management as soon as an attack happens.

To be able to deal with the threat, the IT department or Chief Information Security Officer (CISO) has to receive this alert before the resource under attack becomes unavailable. Companies that don’t have the correct programs installed won’t know about the attack until the service goes down.

There are several methods of protection that companies can use, with the first option being network ingress filtering. This detects and handles incoming traffic using spoofed IP addresses.

Businesses can also use a third-party contractor that specialises in filtering DDoS and APDoS attacks. In cases such as this, incoming traffic can be routed to the contractor to filter and only legitimate traffic is sent back to the organisation.

There are also dedicated network solutions that businesses can deploy internally. These work in a similar way, by creating a baseline of expected traffic and removing excessive requests that seem false.

This approach consumes a company’s bandwidth and processing power, so it’s not as scalable in handling larger attacks as a third-party specialist would be. Sometimes, the simplest options are the most effective.

If you have the appropriate security in place, advertising the fact that you are prepared will divert attackers, because they won’t want to use their resources on a potentially unsuccessful attack.

Businesses need to find new ways to fight the internet of zombies and can prepare for an outbreak by ensuring they’re equipped to make decisions quickly at the first sign of a hack.

Combining several layers of virtual protection with skilled professionals experienced in handling APDoS attacks should be the first line of defence for information security.

Paying for additional capacity when developing a website can make the process costly, so many companies scale their system to match a predictable peak.

However, in an APDoS attack, sites can experience ten or 20 times more traffic than their usual maximum, so it makes sense to allow a healthy margin of error when developing a system.

Having a response plan in place will also improve the chances of restoring a system before any major damage is done.

The plan should include preparing contact lists and procedures in advance, analysing the incident as it happens, performing the mitigation steps and undergoing a thorough investigation to record the lessons learned.

It’s likely that zombie films will be as popular as ever in 2016, with another instalment of Resident Evil on the cards. Let’s make sure that the internet of zombies doesn’t rear its head as well, by preparing ourselves for the potential outbreak of APDoS that’s heading our way.

Send this to a friend