A convicted fraudster was arrested by the FBI and charged with hacking into websites and threatening news outlets that had published news stories about crimes he committed in Canada, the
National Post reports. The FBI says Andrew Rakhshan contacted employees of news sites such as Canada's CBC network and Canada.com offering them money to take down stories related to his 2014 fraud conviction and deportation from that country. When that didn't work, he allegedly threatened to carry out distributed denial of service (DDoS) attacks on those websites. In one case, he allegedly carried out a DDoS attack on the legal documents website Leagle.com. The news stories covered a case in which Rakhshan was convicted of using counterfeit credit cards tied to banks in Australia, Brazil, France, the U.K., and other countries to purchase a yacht and several automobiles valued at CAN$500,000.
Not surprisingly, individuals, companies, and institutions not only have to prepare for, detect, investigate, and prosecute fraudsters, they also must be ready to defend themselves against threats and reprisals (including DDoS attacks) when those same fraudsters want to make the trail of their crimes disappear afterwards. DDoS attacks are being used more and more as a tool for any kind of exploit activity, including fraud and reprisals, and their sophistication and dynamic nature is increasing such that last year's solution may no longer work. Internal auditors therefore need to continuously update their knowledge and advice to help reduce the risks and impacts of these attacks.
To better fight DDoS attacks, auditors first must understand how they work. Simply put, a DDoS attack attempts to push a website off the internet by flooding it with data. There are increasingly powerful tools that anyone can download and use to trigger such attacks. The software allows attackers to direct overwhelming amounts of dummy traffic created by custom scripts at a website, then type in its URL and watch it generate fake user after fake user in an effort to overload the site's servers and bring it down.
Attacks on larger, more sophisticated networks are accomplished via a combination of DDoS tools that include botnets — collections of computer servers designed to connect and perform a unified action. Their job is often made easier because of the numerous Domain Name System (DNS) servers that exist to translate domain names into IP addresses. Freeware tools are available that contain a database of known vulnerable DNS servers on the internet. A very small data packet request to a vulnerable DNS server can request tens of thousands of bytes of information, and that server will respond as if it were to a legitimate site. These data packet requests can be efficiently generated and multiplied to overwhelm a large system. It also does not take much bandwidth to attack a login server and prevent access to services. And anyone can rent a botnet, even though it is illegal. (Just about everyone is vulnerable: To get a small idea of this, visit
https://www.grc.com/shieldsup to see what other people can view from your connection.)
What can auditors assess and recommend to help their organization plan against and mitigate DDoS attacks?
Organizations must not give in to fraudsters' demands that evidence of their crimes be taken down from websites. They should involve police and regulatory authorities immediately, and implement attack readiness measures, based on having already kept their DDoS risk mitigation up to date.
Use cloud services or outsourcing. Organizations use cloud services that can offload excessive traffic while DDoS attacks are happening, therefore preventing those organizations' networks from having to deal with the overload. Some large providers specialize in scaling infrastructure to respond to attacks and can implement cloud scrubbing services for attack traffic to remove most of the problematic traffic before it ever hits a target's network. DDoS mitigation providers can, during an attack, reroute traffic destined for the target's network to a mitigation center, where it is scrubbed and legitimate traffic is then forwarded on. These kinds of services are scalable in affordability so that they are not just for large organizations.
Fortify network architecture. Disperse organizational assets to avoid presenting a single rich target to an attacker. Locate servers in different data centers. Also ensure that data centers are located on different networks, with more than one pipe to the internet. Data centers also should have diverse paths. And data centers, or the networks they are connected to, should have no notable bottlenecks or single points of failure.
Scale up network bandwidth. For high-volume attacks, many large organizations adopt a solution to scale bandwidth up to be able to absorb a large volume of traffic. However, other organizations may not be able or willing to pay for the network bandwidth needed to handle some of the largest attacks.
Deploy and keep updating hardware that can handle known attack types and use the options that are in the hardware that protect network resources. This will lessen, but not eliminate the impact of an attack. There are many useful resources about these measures. A good starting point is the U.S. Department of Homeland Security's
DDoS Quick Guide (PDF).