I've seen a number of articles this month about how Distributed Denial of Service (DDoS) attacks evolve through the use of mobile devices. I think the articles blur the lines on several issues, so I wanted to clarify each scenario. There are several security issues at play, and it's important to distinguish the difference between a DDoS attack itself and the tools used to initiate and execute one from a mobile device.
The standard DDoS attack is an attempt to overwhelm the available network connections available in order to prevent legitimate traffic from getting through. This is typically done by coordinating a botnet to initiate a flood of traffic aimed at a specific victim. The challenge that organizations face is how to identify and filter the bad traffic from the good traffic.
In some ways, the mobile element is not particularly unique, because at the end of the day, it's still traffic that originates from a computer that you do not control. The primary difference is that mobile traffic is not easily blocked by source IP or domain (since it originates from a constantly moving device from a service provider or public WiFi hot spot), so the filtering technology has to be more precise. In any case, whether organizations chooses to use protection technologies upstream (in the cloud or at their ISP) or whether they employ DDoS mitigation technologies in the next-generation security platform, the fundamental issue is not about the mobile device, per se, but rather the technology used to scrub traffic.
The articles bring up a second and far more interesting issue, and that’s related to the mobile applications that perform a DDoS attack. Several of the tools mentioned cross several broad categories, so let’s clarify these issues a bit further.
The tools for opt-in DDoS, such as a client for Low Orbit Ion Cannon (LOIC) for mobile devices, are big challenges. They allow users to participate in a DDoS -- it's essentially a way to opt-in to a botnet. The security issue here is not the DDoS attack itself (unless your company happens to be the intended target), but rather a mobile device policy issue. In other words, these applications can place the device under the control of a third party and make your organization a participant in an attack against another victim.
Botnet participants do not always join willingly. The other way to build a large community of participants is to use malware to turn the victim into a zombie. The malware does not necessarily attempt to steal data or otherwise harm the host, but rather lies in wait until called upon to participate in a DDoS attack.
In all cases, the common denominator for mitigating these issues is to identify devices that have unapproved tools and block their participation in the larger attack. Palo Alto Networks has a unique set of technologies to disrupt the use of unapproved applications, botnets and malware, summarized as follows:
Hopefully these tips help you get started with a plan for dealing with unwanted applications on mobile devices participating. Breaking complex attacks (including ones that your users willingly participate in) can require a new approach for security, one that is based on blending the protections for controlling applications, traffic and mobile devices. This is why the next-generation security platform and Palo Alto Networks mobile security solutions are ideal for dealing with the applications and threats that you don’t want on your network.