In-depth

Hackers are gonna hack, but can the enterprise do jack?

With Lizard Squad offering up their DDoS tools to others, Davey Winder wonders why the enterprise isn't doing more to protect itself?

Offline

Millions of gamers got an unwanted Christmas present, when both the Sony PlayStation Network and Microsoft's Xbox Live were hit by a Distributed Denial of Service (DDoS) attack during the festive break.

The attacks should not have surprised anyone, least of all Sony or Microsoft, considering the hacking collective responsible pre-announced its intentions and the dates they would occur a month before.

The Lizard Squad had earlier taken responsibility for hitting the Blizzard (the World of Warcraft folk) and Sony PSN servers in August, before taking down Xbox Live for a few hours a month ago. After that attack on Microsoft, a Lizard Squad spokesperson stated on the group Twitter feed that "Microsoft will receive a wonderful Christmas present from us" and admitted that knocking the service offline was "a small dose of what's to come on Christmas."

Lizard Squad is now selling access to the LizardStresser tool it used in the takedowns, claiming it to be a network stress tester for use in performing dummy attack scenarios on networks. It is nothing of the sort.

Those particular attacks appear to have come to an end after controversial internet entrepreneur Kim Dotcom offered Lizard Squad members 3,000 vouchers for his encrypted cloud storage service called Mega. These had a face value of $99, but are being sold on for $50 each, which means Lizard Squad will have netted a cool $150,000 from the attacks.

Despite news that a couple of alleged members of the hacking collective have been arrested, including a 22-year-old lad from Twickenham, Lizard Squad appear to be moving forward with the profit-making side of things. Although at first it was claimed the attacks were being made to highlight security weaknesses in the various target networks, some security industry insiders are now suggesting it's simply a marketing strategy.

The reason behind this claim is that Lizard Squad is now selling access to the LizardStresser tool it used in the takedown attacks, claiming it to be a network stress tester for use in performing dummy attack scenarios on networks.

Predictably, the tool has a track record of being used for nothing of the sort and such a description is fooling nobody. There are various rental packages on offer, ranging from a bizarrely short 100 seconds of attack time for $5.99 per month, through to a potentially devastating 30,000 seconds (eight and a half hours) for $129.99 per month There's even a referral program offering a 10 per cent bonus on referred subs and a bunch of add-ons, such as 1Gbps of dedicated power and concurrent dual-boot options for additional Bitcoinage.

It has been suggested the real story here isn't yet another bunch of youngsters using the same old tools to take down networks but rather that networks are still insecure enough to be taken down in the first place. I'm not sure this is really fair to the enterprise, at least as far as defending against DDoS attacks are concerned.

The prices above reveal just how cheap it can be to fire off a ready made attack at anyone you like, and LizardStresser is far from being the only, or cheapest, DDoS tool in town. Compare and contrast the pricing to how much it costs to engage the services of a DDoS protection provider, and it's not surprising that for all but the biggest of organisations such services are often seen as being out of reach. Indeed, given that giants such as Microsoft and Sony can still fall victim to a good old fashioned DDoS'ing, even when pre-warned about it, one has to wonder if there's anything that can actually be done to prevent a determined attacker?

Well yes, there is, although perhaps protection is best replaced by mitigation when describing the approach that needs to be taken. I've covered this subject both at IT Pro and at our sister publication Cloud Pro so won't go over old ground again. Needless to say, though, while I appreciate that DDoS attacks are not the easiest nor cheapest threat scenario to defend against, neither is it impossible nor does it have to be out of the financial reach of the enterprise.

What it requires is for organisations to stop shifting the responsibility for these attacks, to move away from the blame culture whereby the focus of guilt is shone everywhere but within and the inevitability of defeat comes to the fore. In the case of Sony and Microsoft, the clever money is on the Lizard Squad take downs being more than just a simple hire-and-fire scripted attack, and actually involving something more sophisticated.

By this I mean the combining of DDoS attack servers and botnets, and the choosing of specific targets such as login servers which would require some kind of vulnerable external DNS server manipulation to accomplish. Most enterprises are not going to be subject to such complex attack methodologies, and employing basic DDoS mitigation services alongside network security best practice is likely to keep you safe. All that's needed is the will to secure rather than an expectation of failure.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Sopra Steria confirms it was hit by new Ryuk ransomware variant
Security

Sopra Steria confirms it was hit by new Ryuk ransomware variant

26 Oct 2020
Google fixes zero-day flaw in Chrome and Chrome OS
bugs

Google fixes zero-day flaw in Chrome and Chrome OS

23 Oct 2020
Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020

Most Popular

Microsoft CEO warns of video call fatigue
video conferencing

Microsoft CEO warns of video call fatigue

7 Oct 2020
How Liberty navigated a site relaunch during a pandemic
Sponsored

How Liberty navigated a site relaunch during a pandemic

8 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020