Technical Insights > Network Visibility + Security

Verifying DDoS Mitigation

2020-09-22  |  4 min read 

In September 2020 the New Zealand Stock Exchange (NZX) was down for several days due a DDoS attack from a group claiming to be from the Russian Fancy Bear cybercrime collective. The good news is that NZX did not pay the ransom demanded up front prior to the DDoS attacks. The bad news is that New Zealand’s central bank forecast earlier in the year that cyberattacks could wipe out 2-3% of the country’s insurance and banking profits – a pretty significant tax.

DDoS GUI - LOIC, Low Orbit Ion Cannon
GUI screenshot from an old classic DDoS tool, LOIC, the Low Orbit Ion Cannon. By FockeWulf FW 190 - [1], CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=45539498

Just about any responsible firm in FSI will have some sort of DDoS mitigation solution in place. Many will have more than one. The only problem is, that like backups, unless you test your ability to actually mitigate a DDoS attack (or actually perform a restore from backup) then you don’t really know if you have the protections in place that you think you do. Few things are worse than thinking you are in good shape when you are actually quite vulnerable.

DDoS is an interesting world. Much has changed since the days of 4chan/Anon and the Low Orbit Ion Cannon (LOIC). One thing that has changed is that with the growth of larger and faster networks the scale of attacks has also increased, with some showing peak flows greater than a terabit per second.

Some new(er) techniques have helped contribute to these attacks, including reflector or amplification attacks like NTP Amplification attacks where the network time protocol is used to allow a asymmetric small request from a spoofed source to trigger a disproportionately large response to that spoofed address, resulting in a flood of traffic.

Other approaches are more timeless – one of which, Slowloris, has been on the radar screen for several years now. Slowloris and other similar attacks can fly low and slow – they use relatively little bandwidth but seek to open as many connections to a web server as possible without closing any, resulting in the consumption of resources on that host that eventually results in the web server not being able to serve additional connections.

These are just a couple examples of some of the DDoS attacks that you can, and should, test your ability to mitigate if your network is a strategic asset key to your business.

For details on how you can using BreakingPoint to test these and other DDoS methodologies including DNS floods, botnets, Mirai, Christmas Tree and others, we invite you to download our latest white paper, DDoS Test Methodologies: Testing Critical Financial IT Infrastructure DDoS Mitigation Systems.

Stay safe.

Thanks for reading.