Airports in the Storm

Airport security isn’t just ID checks and baggage scans anymore.

Fourteen U.S. airports experienced Distributed-Denial-of-Service (DDoS) attacks last week, resulting in brief website access glitches. Luckily, TSA’s aviation security program now requires designated cybersecurity coordinators to report cybersecurity incidents, conduct cybersecurity assessments, and develop remediation and incident response plans, so legitimate customers were only briefly inconvenienced.

Nevertheless, TSA announced that additional performance-based cybersecurity requirements for critical aviation systems will be rolled out soon in response. To explain why, let’s break down what DDoS attacks are and why hackers use them.

Beware of the Zombie Botnets

A DDoS attack is a malicious attempt to disrupt normal traffic to a network, server, or service. Usually, these attacks are SYN floods or UDP attacks, in which networks of “zombie” machines, aka botnets, all execute the same call to a specified target at the same time, interfering with legitimate user traffic.

DDoS attacks are among the simplest cyberattacks. Once the hacker identifies a target, they can punch information into a simple tool and hit the ground running. Like a remote control, the tool can issue commands from a distance. Cybercriminals typically install a DDoS tool on hundreds, if not thousands, of machines and mobilize them as a botnet group to launch coordinated attacks on a single target.

The amount of downtime a DDoS attack can cause is a function of the target’s security countermeasures. These attacks are not usually isolated incidents; they often happen repeatedly until the cybercriminal feels that they accomplished their goal. Well protected targets may only go down for a minute while less mature organizations may stay down for as long as a month.

In this case, the cybercriminals appear to have used the SYN flood technique to target the airport websites. SYN-flood is a protocol attack in which numerous connection requests never complete, overwhelming website resources and delaying connection for legitimate visitors. Most ISPs do not protect against protocol-based attacks, so it is important to avoid complacency. You cannot rely on your ISP for DDoS protection.

Learn How to Fight Back

To limit vulnerability to these attacks, organizations must protect themselves. The ideal solution helps end the attack quickly by using intelligent systems and services rather than human intervention.

The keys to protecting yourself again SYN floods are:

• A properly configured firewall, using IDS and IPS, basic IP tables protection techniques, and modified rules.
• Protection using switches
• Server redundancy
• Continuous monitoring
• Network segmentation into subnets with unique security controls and protocol limitations
• Commercial tools and services to prevent spoofing by validating sources and blocking abnormal traffic
• Configuring network devices like routers, load balances, and DNS to manage traffic spikes and build in remediation time if preventative measures fail

Was This a Test?

Certified ethical hackers like me are taught to think like cybercriminals. Looking at this attack from that perspective, I believe this was just a test. Hackers are smart people, and they learn the same way other cybersecurity experts do. I believe that hackers will gather data from the aftermath of the recent airport attacks by reading or watching media coverage.

If these attacks were a test, then there is probably something bigger in the works. In the aftermath of a DDoS attack, is important to evaluate all incident response plans, resolve existing vulnerabilities, and address any significant outages immediately. Temporary solutions are better than nothing, but it is important to plan for the long term.

It is important to really understand the potential impact of attacking airport websites. If a DDoS prevention solution had not stopped the attack, what might have happened next? How could we prevent it? What would that process look like?

I always like to compare cybersecurity to securing a house: You need to protect the structure, not just the belongings inside it. Similarly, in business, you must protect people, processes, and the technology, including data and access.

In the aftermath of these attacks, I highly recommend reevaluating your security tools, practices, policies, procedures, both physical and operational. I also recommend additional testing and preparation for the possibility that your service provider and/or your DDoS tools fail to contain an attack.

If you are attacked, remain on alert for anything suspicious and report it promptly.

Looking to improve your organization’s cybersecurity posture? CONTACT SDI to drive vigilance and resilience across your enterprise.