DDoS Attacks are as Dangerous as Malware. Why is defending against them important?
The interest in remote technologies, remote work, and online education is growing in the pandemic era. In such conditions, the security of online resources and information is especially crucial.
That is exactly what we will discuss in this interview with Ramil Khantimirov, CEO and co-founder of StormWall, an international company that specializes in cyber defense against DDoS and hacker attacks.
I. Editor ― Let’s talk about these DDoS attacks. As a person who has been involved in information security for a long time, I know for sure that such attacks are no less dangerous for network resources than malware threats. And of course, it is important to know how you can protect yourself from them.
Ramil, can you tell us what a DDoS attack is and how it works?
R.Khantimirov― Let’s first understand what the DDoS abbreviation means. DDoS stands for Distributed Denial of Service.
It’s a hacker attack that leads to inaccessibility of an online service. This could be, for example, a website, a web application, an online game, or even an entire network.
“Distributed” means that the attack comes from many sources at once. It can be a set of infected computers or servers, or specially assembled stands, from which the attack is launched.
Let’s take a look at a typical example of a DDoS attack on a website.
Imagine that 10 thousand visitors browse your website simultaneously. The server simply won’t cope with such a load and the website will stop loading for real users. That’s the essence of a DDoS attack.
Editor — Who launches these attacks and why?
R.Khantimirov— Well, today purchasing a DDoS attack online is very easy. The prices start at just a few dollars. What’s more, you can even get a free trial.
Therefore, from a purely technical point of view, anyone can launch an attack. It can be your competitor, ill-wisher, or just a scammer who might ask for a ransom for stopping the attack.
In our experience, and what we see most often among our clients, the primary reason for an attack is bringing down a competitor.
For example, at Christmas online stores for Christmas gifts traditionally suffer from attacks. Competitors are targeting each other’s websites that come up on the search engine for queries like “buy flowers”. Businesses hope to attract more customers while the websites of their competitors are not available.
Now imagine how much a day of downtime at Christmas costs for a gift store. And for a larger business, the losses are estimated in millions.
Editor — Are these attacks somehow regulated by law? I mean, you can’t punish your competitors like that.
R.Khantimirov— USA outlaws DDoS attacks. Hackers can get anything from a fine to 20 years in prison. But the problem here is to find the organizer and prove the guilt.
Editor — DDoS attacks have been well-known for a long time. Do they somehow change over time? Is their power increasing? Are new types emerging? And can you single out some of the main trends in this area?
R.Khantimirov— The scale of attacks increases every year. This can be explained by the fact that internet traffic and computing power that is used for generating attacks are becoming cheaper.
For example, if 5 years ago an attack that exceeded 100 gigabits per second was quite rare, now we see such capacities almost every day.
New attack types are emerging as well. Hackers are constantly finding vulnerabilities in applications and protocols. New techniques for enhancing attacks, the so-called amplifications, are created. They allow an attacker, even if they have little resources, to launch a very powerful campaign. Using vulnerabilities in servers or networks can increase the scale even further.
We often observe that attackers not only try to bring down a website but also attempt to hack it at the same time, using DDoS campaigns to drive attention from a more serious threat.
Editor — I follow information security news and there has been a recent surge in DDoS attacks, and other malicious activity. Why is this happening? Why now? Maybe, the pandemic somehow influenced this situation? And who suffers the most, which industries?
R.Khantimirov— Well, you know, the pandemic certainly had an impact. It made us all study and work remotely and even shop online since all brick-and-mortar stores got closed. And the change in these behavior patterns affected attack vectors.
Earlier, entertainment resources were the most usual victims, because attacking them was profitable. During the pandemic, we are seeing a surge in attacks on educational resources and on retail.
Recently, we conducted an analysis of our clients, and we saw that attacks on online-learning websites increased by 5 times compared to last year. The students have a motive here. For example, they might try to disrupt a lesson or an exam.
Attacks on retail increased by 4 to 10 times, depending on the sector type. And this surge was primarily associated with unfair competition. Again, there is a motive.
Editor — How do you know that there is a DDoS attack, that the website isn’t just frozen? When should you start to panic, and what should you do?
R.Khantimirov— Well, look. The symptoms of a DDoS attack are quite typical, it usually looks something like this:
Either the website first takes an unusually long time to load and then throws an error, or it throws an error message right away. The error says that the server couldn’t connect to the database, or that there was a timeout. Or the website simply starts working sluggishly. In essence, a DDoS attack disables a service.
Editor — If a DDoS attack has already started and you noticed it, what should you do?
R.Khantimirov— Well, the response may be different on a case by case basis.
You can try to stop it yourself by adjusting system settings, or with optimization measures. But in that case, you will be limited by the resources that you have. That is, the processor and memory that the server is equipped with and the bandwidth that it provides.
If the attacker’s resources are at least slightly superior to yours, then you won’t be able to stop the attack by yourself. You will need to contact either your hosting provider or your Internet provider and ask if they can help you. Or urgently look for a company specializing in protection against DDoS attacks.
Editor — How does DDoS protection works?
R.Khantimirov— Well, protection mechanisms work in different ways, but in general, the purpose of any defense is distinguishing real users from malicious traffic, and blocking the requests that come from bots.
Editor — You are talking mostly about companies, organizations, educational institutions, government agencies. As far as ordinary people, Internet users, go, should they be afraid of DDoS attacks at all?
R.Khantimirov — It’s worth knowing about them, because we are all dependent on online services in one way or another, especially during the pandemic.
For example, an attack can disconnect a person from the Internet if it targets a network or a provider. With so many people working remotely now, a person using that network won’t be able to do their job, or order products online.
Should an ordinary person worry? Probably, but it depends on who we call “ordinary people”. If a person does not have their website or some other Internet resource, then they shouldn’t worry. Because if a place where they order food gets targeted, there is nothing they can do. They will just have to order someplace else.
If you own an online resource, then you should think about protection in advance. Because if an attack happens, the losses can be enormous.
Think of a flower shop example that we talked about earlier.
Editor — So, if you are an ordinary guy, you just need to have a replacement service in mind? So that if the usual website you prefer fails due to a DDoS attack, you can quickly switch?
R.Khantimirov— generally speaking — yes.
Editor — It seems to me that everyone has already encountered or at least heard about malware. Those dangerous programs can completely destroy, steal, or encrypt user’s information. The peak of malware activity was observed several years ago. Back then we used to hear about a new global cyber threat, capable of compromising huge corporate networks, almost on a weekly basis.
Do you think DDoS attacks are as dangerous as malware? And what negative consequences can occur as a result of a DDoS attack?
R.Khantimirov— I believe that today, DDoS attacks are some of the primary threats to information security and they are just as dangerous as malware.
Just as one shouldn’t surf online on a computer that doesn’t have an antivirus installed, one shouldn’t launch a website without DDoS protection.
As we already discussed, launching an attack doesn’t cost anything, but the consequences can be grave. Loss of customers, loss of reputation, and loss of profits.
You just need to make a simple calculation. How much will one full day of downtime cost you? That right there is the cost of an attack on your website. It is usually cheaper to protect yourself in advance than to deal with the consequences later.
Editor — That sounds really dangerous. In your experience, when you talk to a potential client, do they take these risks seriously or, as it often happens, choose to neglect the threat until they come face to face with it?
R.Khantimirov— You know, we have this mentality, to downplay risks until it’s too late. So usually, until a person or a company encounters a problem, they don’t consider a DDoS attack to be a serious threat.
But if at least one of the resources falls victim to an attack, then they take the threat way more seriously and think about protection in advance, allocate a budget. That is what we see in the Russian market right now anyway.
Editor ― Perhaps this type of behavior is more usual for small companies?
R.Khantimirov— Yes, basically. Large companies, of course, tend to pay more attention to cybersecurity.
Editor — Do bigger businesses have in-house teams, or is there a shortage of full-time cyber-security experts?
R.Khantimirov— Well, you know, it is not enough to have a cybersecurity team, you need to have the computational power to filter traffic. So even large companies often work with some kind of DDoS protection service, because they provide the horsepower.
Editor — So, it doesn’t make sense for them to invest in those additional resources, they just come to you on a task-by-task basis?
R.Khantimirov— Yes, there is no point in investing in having the resources in-house. What’s more, experience in defending against DDoS threats is even more crucial, because new types of attacks can appear any day. You must be constantly engaged in the development and research of DDoS defenses to build successful counter-measures.
Editor — What solutions does your company offer and who can benefit from them?
R.Khantimirov— We specialize in defending websites from DDoS and hacking attacks. In addition to websites, we protect servers, networks, and providers. We work with clients from all over the world. Our clients are individuals who host small websites, and corporations that own networks with millions of users.
Our goal is improving the protection against cyber-threats globally.
We develop our solutions in a private situational center. There, DDoS attacks are automatically registered. Next, we study them and develop countermeasures.
But we are especially proud of our customer service. Our experts are available 24/7 by phone, online chat, or email. The response time of our support team never exceeds 15 minutes. From helping defend against a surprise attack to developing a corporate cybersecurity strategy — we are available right away.
Editor — Do I understand correctly that you don’t just react to a client’s request, but you actually investigate the network and identify DDoS attacks that no one even knows about yet?
R.Khantimirov— Yes, of course.
Editor — You have this lab constantly working, collecting data, analyzing, and detecting DDoS attacks. But how do you detect new DDoS attack types? Threats that nobody has faced before?
R.Khantimirov— Well, relatively speaking, 99.9% of DDoS attacks are stopped by automatic systems, but hackers are constantly trying to come up with something to bypass this protection layer. If they are successful, we register attacks based on different signs. For example, if certain availability parameters or response times show suspicious deviations from the norm.
And in cases when automatic defense fails we deal with attacks manually. Then, we train our systems to automatically defend against these new attack types.
Editor — You mentioned earlier that the number of attacks is growing, and that launching a DDoS attack is so easy that even somebody young can do it. Is that true?
R.Khantimirov— Yes, this is absolutely true. I would even go as far as to say that presently, the majority of attacks are launched by school students. Starting a DDoS attack is very easy, tutorials and tools are publicly available on the Internet. And all you need is some minimal IT knowledge to use these tools.
Editor — How do you identify and find the attacker?
R.Khantimirov— Well, look, you can, of course, find an attacker, and there are people who track them down and are often successful.
But in some cases, it’s quite difficult, because usually, hackers use a false address. Often attacks come from randomly generated addresses.
Attacks are often carried out by so-called botnets — networks of infected computers or phones, containing thousands of units that receive a command to simultaneously start DDoS’ing. In this case, the traffic comes from thousands of addresses.
If an attacker cares about their anonymity at least a little bit, they know perfectly well how to disguise themselves. Therefore in such cases, the attacker can only be found by an indirect trail.
Editor — It seems to me that in general we don’t have any kind of cybersecurity culture and the legislation is not up to date in that sense.
R.Khantimirov— Of course, the legislation always lags behind the real IT market.
Editor — What do you think is more important, the cybersecurity culture, understanding what will happen if you don’t follow simple rules of staying safe online, or having technical capabilities to protect yourself from anything?
R.Khantimirov— You need to be aware of what DDoS attacks are, just like with other threats. And take some steps to be ready for them.
Even if DDoS protection is not configured, connected, or tested, you need to understand how long it will take, what budget should be allocated for it, and so on. So you never end up in a situation where customers simply can’t access your service.
Editor — I hear that regular users can become a part of a DDoS botnet, simply by downloading malware and getting their device infected. How do you protect yourself from this?
R.Khantimirov— This is how botnets are built. That is, earlier mainly PCs were infected, but now there are a lot of botnets on android devices. Like mobile phones and tablets.
Naturally, you need to follow some basic online hygiene. Keep your software up-to-date, install updates when they become available. Install a solid antivirus and regularly update its malware databases. Don’t download or run files from unverified sources. Don’t open or download attachments from suspicious emails. Especially Microsoft Office documents.
These simple measures will protect you against most malware strains.
Editor — In your opinion, will the number of DDoS attacks continue to grow and what predictions are there in this regard?
R.Khantimirov— Judging by our seven-year experience, every year the number of attacks grows steadily. And over the past 25 years since DDoS attacks began to be recorded by experts in general, their number and strengths have been growing year-by-year.
So we can conclude that the growth will continue.
Considering that, firstly, we are doing more and more things online, and secondly, the Internet is getting cheaper, 5G is being introduced, soon every smartphone will be capable of launching an attack powerful enough to overwhelm almost any server. The attack growth rate will be increasing and attacks will continue becoming more sophisticated.