third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
third Cyber Security Assessment Netherlands - NCSC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Detailed section » 4 DDoS<br />
4 DDoS<br />
»<br />
DDoS attacks have caused harm to the provision of<br />
services by organisations in the vital infrastructure<br />
(including the provision of online services from banks<br />
and airline companies). Furthermore, basic facilities such<br />
as iDeal and DigiD have also been affected by DDoS<br />
attacks. This demonstrates that malicious attackers can<br />
cause much harm using easily obtainable tools.<br />
4.1 Introduction<br />
In the past year, public attention on DDoS attacks has increased<br />
considerably. This detailed section examines in greater depth the<br />
technical background, the actors who are (possibly) responsible<br />
and the measures that are implemented.<br />
DDoS is a means of attack by people with malicious intent that<br />
overloads the capacity of an organisation’s online services, websites<br />
or infrastructure by means of data traffic. The online services or<br />
infrastructure then become impossible or difficult for legitimate<br />
traffic to reach. Where in a DoS attack the actions are executed from<br />
a single system, with a DDoS the attack is launched from multiple<br />
locations and systems. [33: <strong>NCSC</strong> 2013-3] This detailed section examines<br />
in greater depth the issues and incidents caused by DDoS attacks.<br />
4.2 Background<br />
DDoS attacks are not a new development and have been happening<br />
for more than ten years. However in recent years the number of<br />
attacks has been increasing In 2012 and the first quarter of 2013 the<br />
number of DDoS attacks rose and there was an enormous increase<br />
in the intensity of the attacks. [133] DDoS attacks are usually carried<br />
out by controlling an attack via a botnet [134] or multiple systems at<br />
the same time. The resources needed to launch a DDoS are relatively<br />
easy to come by and can be used by anyone with a sufficient<br />
knowledge of IT and the internet. The chance of an attack succeeding<br />
is very much dependent on the attacker’s level of knowledge and<br />
tools used, and on the measures that the target organisation has put<br />
in place. In many organisations there is a lack of knowledge and/or<br />
resources to take satisfactory and effective measures to restrict the<br />
impact and consequential harm caused by a DDoS attack. There is in<br />
reality little that can be done in the face of a DDoS attack other than<br />
to take measures to reduce the effect of the attack.<br />
4.2.1 Actors and their motives<br />
DDoS attacks are carried out for a variety of reasons by various actors.<br />
The capacity and technology for a DDoS attack are available for sale<br />
on the internet. <strong>Cyber</strong> criminals offer a DDoS attack as a ‘service’. [135]<br />
The cost of using these services has fallen in recent years. [136] The<br />
actors do not themselves need many skills. Independently setting up<br />
a DDoS attack requires more knowledge and skills.<br />
Script kiddies<br />
A script kiddie’s motive for a DDoS attack is usually to increase<br />
self-esteem because a successful attack will be reported in the press.<br />
Hacktivists<br />
Hacktivists may carry out a DDoS attack against companies,<br />
organisations or governments that in their eyes are acting against<br />
their ideology or convictions.<br />
Criminals<br />
Criminals use DDoS attacks to blackmail companies carrying out<br />
a DDoS and then demanding money from the victim to stop the<br />
attack or avoid a long-term, more severe attack. DDoS attacks may<br />
also be used as a diversion from the ‘real’ attack, for example to<br />
camouflage espionage or criminal actions. However there has been<br />
no evidence of this in the <strong>Netherlands</strong> as yet. Organised criminals in<br />
a number of cases themselves possess the knowledge and skills or<br />
they buy in botnet services from a ‘botnet herder’.<br />
States<br />
A DDoS attack may also be carried out by a state for geopolitical<br />
reasons or as an element of cyber warfare.<br />
4.2.2 Technique<br />
DDoS attack techniques come in various forms. There are dozens<br />
of forms of DDoS attack on the IP protocol alone. Types of attack<br />
are often combined, meaning that different techniques are<br />
deployed at the same time or in sequence, making it more difficult<br />
to detect the right type of attack and react to it. A distinction is<br />
generally made between two categories of attack:<br />
»»<br />
attacks targeted at a volume which flood the network’s bandwidth<br />
and the infrastructure;<br />
»»<br />
attacks at the application layer targeted at hitting specific services<br />
and exhausting resources with a much lower volume of messages.<br />
A number of common DDoS attacks are explained below.<br />
SYN flood<br />
A SYN message is sent by a computer, the source system, to a target<br />
system, for example a web server, to create a connection through<br />
the TCP protocol as a first step. SYN stands for ‘synchronise’. When<br />
the target system receives a SYN message it responds with a SYN-ACK<br />
message and the source system then sends back an ACK message.<br />
ACK stands for ‘acknowledge’. In this way, communication is<br />
133 Prolexic Quarterly Global DDoS attack Report Q1-13<br />
134 See the detailed section on botnets.<br />
135 ‘<strong>Cyber</strong> attack for sale on the internet’, Trouw, 11 April 2013. http://www.trouw.nl/tr/nl/5133/<br />
Media-technologie/article/detail/3423959/2013/04/11/<strong>Cyber</strong>aanval-te-koop-op-internet.dhtml<br />
136 Chris Verhoef, information technology professor at the Vrije universiteit: de Volkskrant, 9 April<br />
2013: ‘<strong>Cyber</strong> attacks: a nice nuisance on the internet’.<br />
67