Motives for DDoS attacks
Every day, Swisscom’s DDoS Protection Service wards off DDoS attacks aimed at its infrastructure or that of its customers. A member of the security team provides information on hackers’ motives, their objectives and how companies can get themselves out of the crosshairs.
Text: Felix Raymann, Image: iStock by Getty Images, 14 November 2018
Has there been a DDoS attack on Swisscom today?
Yes, several. It’s now noon, and just like every other day we have already faced a number of attacks that our systems detected and neutralised automatically.
Is Swisscom a particularly attractive target for hackers?
Like any service provider, we are attacked often. But in principle, any company that has a web presence or exposed services can be attacked, no matter what industry its belongs to.
“Any public service or web application can become the target of a DDoS attack.”
Do hackers prefer any particular sectors or companies?
According to the statistics, companies in the gaming and finance industries are targeted most frequently by DDoS attacks. These platforms are popular targets because the services they provide must be highly available and even brief outages can be very damaging.
What targets are particularly lucrative for DDoS hackers?
If hackers are out for money and demand ransom from their victims, a service provider that has to be permanently available to many users without delays often constitutes a juicy target. The targets can also be banks, government agencies, hospitals or electricity suppliers as well as any company that has a public website and depends on its services remaining accessible to users at all times. Cybercriminals choose the targets that offer the least resistance and the greatest profit.
Aside from money, what motivates DDoS attackers?
Attackers have wide-ranging motivation. In some cases, a company wants to harm its competitors and hires hackers to do so. These then ensure that a service goes down.
Are you saying that companies use illegal means to harm their competitors?
Yes, I am thinking here of globalised commerce, where it is quite possible that people with the necessary know-how are paid to harm companies.
How do you find out about such cases?
We keep a close eye on the global hacker scene. We see orders, skills and entire DDoS attack services and malware being offered in forums and on illegal marketplaces.
Aren’t these people acting illegally and illicitly on the Net?
Yes. But they need to make a name for themselves in the scene and gain a reputation in order to be able to offer their services. That’s why they can be categorised and tracked. As a result, we can, for example, identify the latest trends and what malware is in circulation, which vulnerabilities are being exploited, etc. We monitor the processes in order to be able to react as quickly and as possible and in a targeted manner. Of course, we also network with manufacturers of security software or with the MELANI as part of our work.
I assume that not all companies should expect their competitors to act in a criminal manner. Are web service providers in a “harmless” environment safe from DDoS attacks?
Not at all. Most attacks target a specific company or web platform. In short, all publicly accessible websites and vulnerable services (e.g. gaming platforms) are at risk if they are inadequately protected and threatened by the motivations of the various actors. The aforementioned hackers with monetary interests are not picky. They target any victims that present themselves.
“Only those companies that do not have exposed services are safe from DDoS attacks.”
In the hope of conducting a successful attack and getting a ransom?
Yes, precisely. But the motives can also be different. For example, rival hacker groups battle it out in so-called “turf wars” by trying to outbid each other in terms of the scale of their attacks.
What else motivates hackers and how can companies get themselves out of the crosshairs of such attackers?
There are what are known as hacktivists, who are more target-oriented and choose their victims according to the ideology they represent. These can, for example, be actors who position themselves politically, ethically or ideologically in some way. Therefore, organisations that don’t address correspondingly controversial or political issues do not meet these blackmailing hackers’ criteria. Then there are politically motivated hackers who use DDoS attacks to try to paralyse organisations or state institutions on behalf of governments. Others, like so-called “script kiddies,” just want to shut systems down for fun or as a challenge. Sometimes DDoS attacks are used as a distraction, for example, to make the incident response team focus on an attack so that the hackers can install malware or steal data in another way.
Can perpetrators and their motives be identified solely from the characteristics of an attack?
Some attacks can be pinpointed geographically. But if a globally distributed botnet is used, this is not possible. Telemetry, which is mainly available only to antivirus manufacturers, can be used under certain conditions to identify the groups of perpetrators that could behind an attack. If, for example, the same IP addresses are used both to conduct a DDoS attack and to try to install malware, we can draw conclusions about the perpetrator groups and their motivation. However, our main job is not to find out who carries out attacks and why. We use this information to protect our infrastructures and those of our customers as well as possible.
The Swisscom Security Team analyses and neutralises DDoS (distributed denial of service) attacks on a daily basis. Its staff deploy the efficient protection mechanisms of the DDoS Protection Service and constantly develop them further. They also monitor the hacker scene closely in order to be able to react adequately to the latest threats and trends and thus protect Swisscom’s IT infrastructures and those of its customers.
More on the topic