It is human nature to make our jobs seem more exciting and dangerous. Office language is filled with vocabulary of conflict and warfare. If you’ve ever “kept your head down”, been on “the front line”, suffered “under the cosh”, peered “over the parapet”, or spent time “fire-fighting”, then you’ll recognise what I mean. We aim to “hit targets” to avoid “getting fired”, which sounds like a more thrilling ride than sitting at a desk, or on a conference call listening to other people talk and voicing your own opinions from time-to-time.
Spreadsheets are not sexy.*
From birth, the network security industry seems to have the same approach to naming and describing its products. A firewall sounds more exciting than an access control device – and moreover is a reasonable physical analogy that helps explain the product’s function.
Recently though, perhaps in an effort to differentiate themselves in an increasingly fragmented market, security vendors have moved away from names that explain function and have started to wallow in those that represent fear, danger and excitement. For every Intrusion Prevention System, there is now a Dark Intelligent Cyber Defender. I’m not totally against these linguistic conventions. I like to feel like a Cyber Security Ninja Superhero too. However, my wife tells me that wearing the costume for work is going too far.
Dark DDoS is one step too far
In the wake of the theft of customer data from Carphone Warehouse and TalkTalk in 2015, some articles emerged using the term “Dark DDoS” to describe one apparent element of the incidents.
It seems to have started with DDoS mitigation device company Corero in the article, DDoS Experts Predict That “Dark DDos” Will Turn the Lights Out on UK Businesses in 2016, but was picked up on by the press (Dark DDoS – A Growing Cybersecurity Threat). Digesting these articles is quite hard – quite apart from the quality of some of the reporting. See Dark DDoS: Beware, hackers can use military techniques to infiltrate your network.
The press articles differ slightly in what they think Dark DDoS is. On the one hand, Dark DDoS refers to a type of DDoS attack where the objective of the attack is to distract the target’s IT or security teams from a different but concurrent attack. On the other, it may have something to do with a constant stream of low intensity DDoS traffic slipping “under the radar”.
This confusion is easy to anticipate and unnecessary. DDoS attacks have always had a distracting, or disabling effect on the target IT or security team. Often people and processes are more vulnerable to denial than networks and technology. Also “low and slow” attacks are part of mainstream DDoS libraries and have been for years. Calling these features “Dark DDoS” and portraying it as something new seems actively unhelpful. The term Dark DDoS seems to be nothing but an attempt to make DDoS sexy and exciting but is merely causing confusion and adding romance to criminal activities.
The reality is that DDoS attacks are predictable and annoying and that dealing with them is necessary, detailed thankless work. Like spreadsheets.*
A DDoS attack is still a DDoS attack regardless of intensity, regardless of whether it is used to deny users access to web applications, probe defences, act as a smokescreen for criminal activity, distract IT teams, extort money, or advertise DDoS attack tools to other ne’er-do-wells. The attacks are evolving, yes, becoming more sophisticated, yes; but at a product level, the detection and mitigation approaches employed are the same. The risk decision for businesses is the same.
Let’s do a deal. I’ll stop wearing my Ninja Superhero costume at work if you stop putting the word “dark” in front of everything. Now – let’s talk next about the industry’s evolving use of the word “intelligent”…