DDoS Disruption: Election Attacks

Monday, November 05, 2018

Hardik Modi


In an increasingly politically and economically volatile landscape, cybercrime has become the new geopolitical tool. Attacks on political websites and critical national infrastructure services are ever more frequent not only because the tools to do these are simpler, cheaper and more widely available, but also due to desire and capabilities of attackers to impact real-world events such as election processes, while staying undiscovered. Not surprisingly, a third of respondents to NETSCOUT’s latest Worldwide Infrastructure Security Report saw political or ideological disputes as motivation for DDoS attacks.

As such, we are reminded that cyberattacks against elections are a major concern for the US—recall the recent DDoS attack that crashed a Tennessee county's website on election night in May. The Department of Homeland Security has warned against voting machine hacks and targeted attacks against campaigns. The agency said that in 2016, hackers targeted election systems in 21 states.

Election officials are on high alert for future DDoS attacks and the risk they pose to availability of systems, and more importantly, to confidence in the entire system, which hangs in the balance as we consider the integrity, sanctity and validity of election results overall. Moreover, DDoS attacks on election night pose risk to the availability of information. Imagine if the AP suffered an outage due to a DDoS attack on election night?

The Risk of Volumetric Attack

The sudden emergence of MemcacheD as an attack vector earlier this year certainly brings the possibility of a massive DDoS attack into focus for election officials. The reality is that while 2018 has ushered in an era of terabit DDoS attacks, with the largest one clocking in at 1.7Tbps, we’ve seen evidence that it will also prove to be a year faced with application-layer attacks as well.

Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, application-layer attacks are more subtle and insidious – and much more difficult to detect and block. The application-layer attack, sometimes called a Layer 7 attack, targets the top layer of the OSI model, which supports application and end-user processes. In these outbreaks, attackers pose as legitimate application users, targeting specific resources and services with repeated application requests that gradually increase in volume, eventually exhausting the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack and often fueled by botnets such as Mirai and it’s many successors, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional ISP or cloud-based monitoring solutions. They have a singular goal: take out a website, application or online service. While service providers can detect and block volumetric attacks as well as larger application-layer attacks, smaller application attacks can easily escape detection in the large ISP backbone, while still being large enough to cause a problem for the enterprise network or data center.

Domain name system servers (DNS), the directories that route internet traffic to specific IP addresses, are the most common targets, and HTTP and secure HTTPS services are also targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications.

Best Practice DDoS Defense

To effectively detect and mitigate this type of attack in real time, what’s needed is an inline, always-on solution deployed on-premise as part of a best-practice, hybrid DDoS defense strategy combining cloud-based and on-premise mitigation. An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, and early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloud-based defenses through cloud signaling. Deploying any widely available on-premise component of a hybrid DDoS defense solution, including those from NETSCOUT, can mitigate the vast majority of application-layer attacks before they can do damage. For organizations facing budget and resource constraints, managed DDoS service options provide them with a means to save money, amplify in-house resources and reduce risk. Outsourced or in-house, a hybrid DDoS defense ensures detection and mitigation across the full spectrum of DDoS risks while protecting availability.

About the author: Hardik Modi is Senior Director, Threat Intelligence at NETSCOUT|Arbor. He is responsible for the Threat Research and Collections teams, ASERT and ATLAS, respectively. In this role, he drives the creation of security content for NETSCOUTs products, enabling best-in-class protection for users, as well as the continuous delivery and publication of impactful research across the DDoS and Intrusion landscapes.

Possibly Related Articles:
Enterprise Security Security Awareness
DDoS midterm elections US elections election hack
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.