Hackers are using swathes of server machines to participate in DDoS, or distributed denial of service, attacks against their targets, according to a New York Times report. This was the conclusion of security experts studying recent DDoS operations conducted against U.S. banks. The attacks were described as attaining a level of sophistication far beyond what is typically exhibited by amateur hackers.
This includes the ability to scale the intensity of an attack based on whether the target is still operational, as well as the incorporation of dynamic routines that allow propagators to inject new attack code to adapt to changes in a website’s security. Moreover, the fact that these attacks were going after disruption instead of money were also attributed as further evidence of a state-sponsored attack — with Iran singled out as the most likely culprit. The Iranian government has denied the charges.
Regardless of the origins behind the attacks, the fact that hackers are making use of server machines does underscore the need for small and mid-sized businesses to better protect their server infrastructure. Left unchecked, these attacks suck precious computing cycles on the whim of the remote hacker, resulting in a less-than-satisfactory experience for customers.
Depending on the specific hosting plans signed up by the company, this may also culminate in additional costs or even disruption as allocated bandwidth is exceeded. Fortunately, there are some steps that SMBs can take to prevent or mitigate the effects.
Though this is advice that is often repeated for workstations and laptops, the need to ensure that server machines are properly patched may be missed by some SMBs. If anything, the fact that server machines are constantly online makes it even more important that vulnerabilities in software packages or the operating system are rectified as soon as possible.
Prevention is better than cure, goes the often-repeated mantra. While I certainly won’t disagree with that, the situation here does necessitate the ability to detect anomalous network traffic in the event of a server compromise despite one’s best efforts or zero-day security flaws. Unexplained spikes in traffic usage could be monitored by an advanced firewall or IPS (Intrusion Prevention System) appliance to determine if they are caused by compromised servers on the network.
It is in the best interest of an SMB to ensure that their computing resources are not stolen and abused without their knowledge. Note that this pertains to hosted servers or virtual resources, too, though the ability to keep the servers updated or to monitor the network traffic may not be available in some of these scenarios.