- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
DOS events
Introduction
The title of this week's security information does not refer to the celebration of an anniversary for the legacy PC operating system DOS. It is another of those neologisms that pop up continuously. One would have to look very closely to find an industry with more new words invented than the IT security industry.
The term DoS event in the context that will be discussed in this week's security information article, refers to a particular event that in itself may lead to a Denial of Service (DoS) situation.
A more accurate abbreviation of the term is "DDoS event" - Distributed Denial of Service - which will be used in the rest of this article. The term refers to an event that becomes so "popular" that some or all of the systems that are involved in the event, breaks down as a result of too heavy load. This load is normally a result of a huge number of requests (of various types) from different origins, therefore the D for distributed part.
Typical applicable DDoS events
Presumably we have all experienced one or more DDoS events. Most of us have been (innocent) parts of the "attack".
Typical examples of potential DDoS events are:
- Popular sport events where the tickets are available from one (or few) offices at a point particular in time.
The switch board cannot handle all the incoming phone calls. - Popular rock concerts where the tickets are available from one online ordering system at a particular time.
The web server(s) cannot handle all the web requests. - New Years Eve
Everyone wants to send "Happy New Year" messages to friends and relatives and the SMS messaging system cannot handle the traffic (resulting in e.g. huge delays in delivery). - Huge political events (like the US President Obama's inauguration).
Potential mobile phone system break-downs, traffic issues, unavailibility of news web sites etc. - Disasters that receive world-wide attention with particular good coverage from some media.
The media that are percieved as giving the best updates may have problems offering the needed bandwidth.
Most of the potential DDoS events mentioned above can be estimated to result in heavy load on different types of systems before the event occurs. Those responsible for vulnerable systems will therefore try to strengthen the infrastructure, by means like
- employing temporary staff
- buying or leasing extra computing power
- cooperating with other organizations to share the load at the time of the event
These solutions will normally be of a temporary character, and as such quite expensive. One will therefore be inclined to underestimate the additional infrasturcure that is needed, rather than the opposite.
Security implications
A DDoS event may however, also have security implications for the entity that is responsible for the systems. Since many potential DDoS events can be predicted months, even years before the event takes place, person(s) and organizations that intend to target a particular entity will have an excellent window of opportunity to focus the action.
There may be different motivations behind the wish to make an organization's systems unavailable. There have been several examples of pure extortion schemes. Typical examples are variations of: "unless you pay us lots of money, we will make your web ordering system unavailable when your launch your new product for downloading", etc. etc. It is known that some did not take the risk, and paid up.
An entity that has an upcoming potential DDoS event in the pipeline will usually be much more vulnerable for almost any kind of attack before, and particularly durung the event, than normally. Most of the focus will be on the event, and it is therefore easy to be more careless with other tasks, including security.
A list - not extensive - of examples consists of
- Temporary staff may be more susceptible to social engineering attacks since the new personnel do not know their co-workers and the organization's culture as well as the ordinary staff.
- Scheduled security drilling and program updates may have been postponed till after the event to be able to allocate more resources to preparation for and implementation of the event itself.
- Since the organization's hardware and software resources most likely will be operating close to their maximum capacity, a traditional Distributed Denial of Service attack will have much more potential for success than at other moments in time.
- Malware targeted at the organization will have better potential to succeed as the organization's users' awareness may be lowered and/or the systems for stopping malware may not be prioritized as high as in a normal situation.
The general advice is that an organization, which is responsible for an upcoming DDoS event, should not focus all its resources on that event. Persons/groups/organizations that for any reason want to target such an entity will have the optimum opportunity in the period around the event. If anything, a vulnerable (per definition) organization should strengthen its security when a DDoS event is upcoming.