Attacker motivations behind distributed denial-of-service attacks (DDoS) have shifted away from solely financial (for example, the extortion of online gambling sites and retailers) toward socially and
At that time, attacks were conducted using botnets to flood sites’ servers with large quantities of TCP or UDP packets, effectively shutting down the sites for hours at a time. Today, botmasters have begun to use more complex strategies that focus on specific areas of the network, such as email servers or Web applications.
Others divert security teams’ attention with DDoS flood attacks while live hackers obtain the actual objective, valuable corporate or personal information. This tactic was utilized in the infamous attack against Sony in 2011, according to Carlos Morales, the vice president of global sales engineering and operations at Chelmsford, Mass.-based DDoS mitigation vendor Arbor Networks Inc.
Rapid growth in the sophistication of DDoS attacks combined with the prevalence of attacks across markets makes for a dangerous and fluid attack landscape. Security researchers and providers agree that it’s becoming more important for companies to protect themselves from denial-of-service attacks, in addition to implementing other measures of network security.
DDoS attacks can quickly cripple a company financially. A recent survey from managed DNS provider Neustar, for example, said outages could cost a company up to $10,000 per hour.
Neustar’s survey, “DDoS Survey Q1 2012: When Businesses Go Dark” (.pdf), reported 75% of respondents (North American telecommunication, travel, finance, IT and retail companies who had undergone a DDoS attack) used firewalls, routers, switches or an intrusion detection system to combat DDoS attacks. Their researchers say equipment is more often part of the problem than the solution.
“They quickly become bottlenecks, helping achieve an attacker’s goal of slowing or shutting you down,” the report stated. “Moreover, firewalls won’t repel attacks on the application layer, an increasingly popular DDoS vector.”
For those reasons, experts suggest companies with the financial and human resources incorporate DDoS-specific mitigation technology or services into their security strategy. Service providers such as Arbor Networks, Prolexic and others monitor traffic for signs of attacks and can choke them off before downtime, floods of customer support calls, and damage to brand or reputation occur.
Purchasing DDoS mitigation hardware requires hiring and training of employees with expertise in the area, but experts say that can be even more expensive.
“In general, it’s very hard to justify doing self-mitigation,” said Ted Swearingen, the director of the Neustar security operations center. All the additional steps a company has to take to implement their own DDoS mitigation tool, such as widening bandwidth, increasing firewalls, working with ISPs, adding security monitoring and hiring experts to run it all, make it a cost-ineffective strategy in the long term, he said. Three percent of the companies in Neustar’s survey reported using that type of protection.
In some cases, smaller DDoS mitigation providers even turn to larger vendors for support when they find themselves facing an attack too large, too complex or too new to handle on their own.
Secure hosting provider VirtualRoad.org is an example. The company provides protection from DDoS attacks for independent media outlets in countries facing political and social upheaval—places where censorship by the government or other sources is rampant, such as Iran, Burma and Zimbabwe. A specific niche like that in a narrow market with small clients doesn’t usually require extra support, but VirtualRoad.org has utilized its partnership with Prolexic a few times in the last year, according to CTO Tord Lundström.
They have their infrastructure to deal with attacks, Lundström said, but they also have parameters for the volume and complexity that they can handle. When it gets to be too much, they route the traffic to Prolexic, a security firm that charges a flat fee regardless of how many times you are attacked.
“It’s easy to say, ‘We’ll do it when an attack comes,’ and then when an attack comes they say, ‘Well, you have to pay us more or we won’t protect you,’” Lundström said of other services. Extra fees like that are often the reason why those who need quality DDoS protection, especially small businesses like VirtualRoad.org clients, can’t afford it, he said.
The impact can be worse for companies if the DDoS attack is being used as a diversion. According to a recent survey by Arbor Networks, 27% of respondents had been the victims of multi-vector attacks. The “Arbor Special Report: Worldwide Infrastructure Security Report,” which polled 114 self-classified Tier 1, Tier 2 and other IP network operators from the U.S. and Canada, Latin/South America, EMEA, Africa and Asia, stated that not only is the complexity of attacks growing, but the size as well.
In 2008, the largest observed attack was about 40 Gbps. Last year, after an unusual spike to 100 Gbps in 2010, the largest recorded attack was 60 Gbps. This denotes a steady increase in the size of attacks, but Morales of Arbor Networks believes the numbers will eventually begin to plateau because most networks can be brought down with far smaller attacks, around 10 Gbps.
Even if they stop growing, however, DDoS attacks won’t stop happening altogether, Morales said. Not even the change to IPv6 will stop the barrage of daily attacks, as some were already recorded in the report.
Because of the steady nature of this attack strategy, experts suggest all companies that function online prepare themselves for this type of attack by doing away with the “it won’t happen to me” attitude. Luckily, recent “hacktivist” activities have given DDoS attacks enough press that CSOs and CEOs are starting to pay attention, but that’s just the first step, Morales said.
It’s important to follow through with getting the protection your business needs if you want to achieve the goal, said VirtualRoad.org’s Lundström. “The goal is to keep doing the work,” he said.