The distributed denial-of-service (DDoS) attack is a modern form of action and takedown that is not impossible to defend against, but is a challenge nonetheless for victims.
As demonstrated with the attacks on US government sites following the takedown of file-sharing portal Megaupload last week, a DDoS can not only disturb your business but leave your network exposed.
When ACS:Law was hit in September 2010 by a DDoS, it took down its website but left files exposed that were eventually distributed over the internet. One file contained around 1,000 confidential emails, while an unencrypted document listed the personal details of more than 5,300 BSkyB Broadband subscribers, alongside a list of adult videos they may have downloaded and shared online.
The ICO served ACS:Law data controller Andrew Jonathan Crossley with a fine of £1,000 for failing to keep sensitive personal information relating to around 6,000 people secure. The ICO admitted that the fine could have been £200,000 if the firm was still trading.
So imagine if the next step after overloading a website was overloading an email inbox so it became unusable. According to Manish Goel, CEO of TrustSphere and chairman of the Online Trust Alliance, the average business person will send or receive at least 112 emails a day, but on top of spam and phishing attacks, there is a new emerging threat, which he called "voll-e".
Goel said this "appears to be able to avoid the conventional safeguards against spam, phishing and malware", and an attack happens when a single inbox is targeted by many email senders.
He said this had gained popularity in the ‘Occupy' protests where voll-e attacks had been used to harass corporate executives, underneath the ominous message "The 1 per cent have addresses. The 99 per cent have messages".
“One such Occupy Wall Street website makes it easy to participate in ongoing voll-e attacks on more than 200 C-level officers and directors of major US banks,” Goel said.
“A voll-e attack is like a flashmob in your inbox, except no one is dancing.
Because these messages don't typically possess any of the keywords typically censored by content filters used to catch spam, nor include links to external websites that phishing filters likewise catch, these messages have a high probability of being delivered to the executive being targeted.
“Imagine the disruption to business when hundreds of emails suddenly start flooding the inboxes of senior executives. Legitimate and important emails are lost in the chaos, buried between scores of nonsensical voll-e messages. Worse than losing a phone, a voll-e attack can render an inbox temporarily useless.”
I asked David Harley, senior research fellow at ESET, whether this low-tech form of attack on email was prominent. He said: “In classic mailbombing, an individual pounds a targeted mailbox with multiple (often very large) mails with the intention of general harassment and/or compromising the target's ability to use email.
“In principle, it's normally easy to counter by filtering. If it's coming from one or even a few accounts, you don't even need a heavy-duty anti-spam to block the offending accounts.
“Of course, there is the risk that an ISP will be badly enough affected by the volume of traffic to suspend the account, so that filtering on an individual user's mailbox or a corporate gateway is ineffective, since the action is taken because of the damage upstream to the victim.”
Goel said that voll-e attacks are designed to get through the reputation and spam mitigation systems and filters, but automated bot-generated attacks are more easily detected and blocked. He said that this is because repetitive emails from the same or similar IP addresses and messages with the same or similar content would almost certainly be blocked by conventional email filters and traps before they could reach the recipient.
“One-by-one voll-e attacks are more nefarious. They are not generated with any profit motive, but for the specific purpose of disrupting business. Voll-e attacks are effective because they slip under the radar avoiding reputation systems and spam traps and end up in the destination, and the destination is almost always a senior business executive,” Goel said.
Harley admitted that as a voll-e attack comes from multiple accounts/domains, and can be intentionally varied, it is harder to detect by simple analysis of textual or graphic content.
Also, it could be particularly effective if, for instance, you had a large group of hacktivist sympathisers mobilised to co-ordinate it, though there are a number of measures that could be taken to reduce its impact.
So what about filtering it at a gateway, if anti-spam would be overloaded? Paul Hennin, director of EMEA marketing at Proofpoint, said these attacks are not new, but are low-tech and disruptive "in a security landscape of advanced persistent threats and custom-made attacks".
“Although they are not a new threat for the CISO, the focus in tackling them is shifting to applying a more intelligent approach to provide visibility into the attack and simultaneously protect the organisation's ability to do business,” he said.
“These new techniques are made possible by big-data analysis and cloud platforms. For example, attacks can be detected by looking across large volumes of email to ‘learn' the typical language and tone used in the community and spotting shifts or by tracking alterations in the patterns of mailing rates by IP address.”
However, Goel said there is no simple way to protect against a voll-e attack, as once your email address is exposed beyond the walls of your office, it becomes vulnerable.
He said: “Fortunately there are new technologies that address email and inbox vulnerabilities such as voll-e. Trust-based email systems recognise and differentiate emails from trustworthy recipients and can prioritise the delivery of these emails from known senders to your inbox. Using trusted relationships to prioritise emails assures that virtually no important message is lost and is also properly delivered.”
Harley said he would be more concerned if these attacks were automated, which could be done with a suitable botnet that could make it easy to switch not only account names (which would probably be spoofed anyway) and domains but also IP ranges, making a technical defence potentially challenging.
Asked if the political, rather than profit-led, aims of such attacks made the action worthwhile, Harley said: “With spearphishing and the like you can usually see that the attacker hopes to get some concrete value out of the investment.
“Mailbombing an individual doesn't generally offer an obvious profit, and cyber crime nowadays is mostly about profit rather than the murkier motivation of earlier attacks.”
As research by Websense found last week, people were prepared to reveal their email addresses online, and you would assume that executives in sensitive areas would be more cautious; but if all an attacker needs is an email address, then it is a simple case of preparation.
As the DDoS attacks orchestrated by the Anonymous group demonstrated, assembling a number of people in a single action can be easy, and if disruption is the aim, a voll-e attack may be a temporary disruption that needs to be mitigated.