Many Canadian government websites were knocked offline last month including Canada.ca, the House of Commons, the Senate, Foreign Affairs, Transport Canada, Citizenship and Immigration, and Justice Canada.
Anonymous, a loosely associated international network of hacktivists, claimed responsibility for the massive Distributed Denial of Service (DDoS) attack in YouTube videos and tweets. “Greetings citizens of Canada, we are Anonymous,” the video begins in a robotic voice. “Today, this 17th of June, 2015 we launched an attack against the Canadian Senate and government of Canada websites in protest against the recent passing of Bill C-51.”
Media reports quickly focused on the unavailability of many government of Canada web sites. However, the attack also prevented some government employees from accessing the Internet and created a Blackberry service outage starting around 10:30 a.m. Government officials have not said whether the DDoS attack specifically targeted these services or whether the interruptions were collateral damage resulting from shared network infrastructure.
At 10:59 a.m., Treasury Board President Tony Clement tweeted, “Confirmed today that Govt of Canada GC servers have been cyberattacked. Until full service is restored please use 1-800-OCanada.” His tweet prompted at least one sarcastic response suggesting Canadians telephone to demand privacy.
The DDoS attack ended around 2 p.m. A few hours later, Members of Parliament received an email from their Chief Information Officer advising them, “This afternoon, the House of Commons, along with several federal government departments and agencies, experienced telecommunications outages, affecting access to the Internet. The outages were a result of a Distributed Denial of Service Attack (DDoS). At this time, the threat has been mitigated.”
Some DDoS attacks have leveraged security vulnerabilities to crash services, but they more commonly focus on resource exhaustion by consuming more memory, CPU, storage, or network bandwidth than the target systems have available. These attacks range from simply overwhelming a web server with more requests than it can handle, to more sophisticated techniques such as using vulnerable Internet infrastructure such as DNS to magnify the attack and further camouflage the attacker’s location. Compromised PCs participating in a botnet are frequently used.
The distributed nature of DDoS attacks make them difficult to mitigate without advance planning. Unless system and network monitoring tools with good analytic capabilities are already in place, it may not be obvious to the victim that they are under a DDoS attack until they receive and investigate reports of service outages. Larger organizations with a Network Operations Center (NOC) or Security Operations Center (SOC) have an advantage, but advance planning remains critical to successful mitigation.
Government officials have not indicated what detection and mitigation measures they have in place, and for security reasons it would be unwise to do so. In general, mitigation approaches include attempting to filter attack sources and protocols, and requesting that service providers help reduce the impact by filtering, rate limiting, and redirecting traffic. Other DDoS response tactics include DNS changes to move services away from attacked resources and contracting with commercial DDoS prevention services capable of absorbing the brunt of an attack.
On the surface, last week’s DDoS attack appears to have been an illegal online protest. The attack only lasted a few hours, suggesting that Anonymous only wanted to make a point and draw attention to the issue. Other DDoS attacks against major corporations have lasted days or even weeks. DDoS attacks have also been used to provide cover for more intrusive attacks.
Governments, corporations, and individual website owners must accept that large-scale DDoS attacks can be launched against any target on the Internet. The frequency, magnitude, and sophistication of these attacks will increase. They are becoming a more frequent form of civil disobedience. Unlike physical protests, DDoS attacks don’t require travel, can be launched by an individual or small group, and cannot be dispersed using traditional law enforcement techniques.
Combating DDoS attacks requires tools, communication, and planning.
Tools are required to rapidly identify and mitigate DDoS attacks. Service providers must detect attacks emanating from their networks and cooperate to mitigate attacks closer to the source. Organizations of all sizes require tools to detect when they are a victim of DDoS attacks, provide immediate information to analysts, and notify upstream service providers automatically.
During a DDoS attack, effective communication is critical. IT and security personnel must recognize that an attack is in progress and put response plans into effect. Lines of communication with service providers and outside expertise should be in place prior to an attack. Many authors suggest involving law enforcement, but it is unlikely that law enforcement will be able to intervene during the attack. Investigation and prosecution of those involved is desirable, but mitigating the impact of the attack remains the top priority.
DDoS response plans should be aligned with and support the organization’s business continuity and disaster recovery plans. Emphasis should be placed on preserving critical services identified in the business impact assessment. Planning is critical to dealing with denial.