DDoS attacks – are we really at war?

According to Craig Labovitz, the chief security scientist with Arbor Networks, who has analysed the DDoS attacks using his firm's ATLAS internet mapping technology, the biggest problem the sites face is the issue of flooding attacks.

During 2010, he says, Arbor Networks observed a number of DDoS attacks in the 50+ Gbps range.

"These large flooding attacks often exceed the inbound aggregate bandwidth capacity of data centres and carrier backbone links (often OC192 / 10 Gbps)", he said in his security blog.

And, he went on to add, despite the thousands of tweets, press articles and endless hype, most of the attacks over the last week were both relatively small and unsophisticated.

"In short, other than the intense media scrutiny, the attacks were unremarkable", he explained.

For example, he said in his firm's analysis of DDoS activity against multiple WikiLeaks hosting sites on the third day (December 1) following the initial release of the Cablegate documents, the DDoS traffic never grew beyond 3–4 Gbps.

Mitigating attacks of this scale, he claims, is fairly routine for tier1/2 ISPs and large content/hosting providers, and is more of an annoyance than an imminent critical infrastructure threat – "or 'easy peasy' to block as one internet engineer explained".

Labovitz says that around 20% of retaliatory attack DDoS HTTP requests in one incident last week came from a new variant of LOIC named, predictably, LOIC-2.

"The new version of LOIC – a total rewrite of LOIC – supports additional 'hive' remote control command channels, including RSS, Twitter, and Facebook", he said.

"More significantly, LOIC-2 supports two new 'slow' class of attack methods (i.e., DDoS strategies where the client deliberately elongates HTTP transaction times to burden the victim server)", he added.

And, the Arbor Networks chief scientist goes on to say, whilst the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic.

In addition, he says, these attacks mostly targeted web pages or lightly read blogs – not the far more critical back-end infrastructure servicing commercial transactions.

"By the end of the week, Anonymous followers had mostly abandoned their attack plans as ineffective", he said.

"So ultimately, I'd suggest the last week of DDoS attacks surrounding WikiLeaks supporters and opponents falls far short of a cyberwar", he added.

"While it makes a far less sexy headline, cyber-vandalism may be a more apt description. In a similar vein, a Foreign Policy Op-Ed called hactivist DDoS the digital equivalent of a sit-in by youth around the world."

What’s Hot on Infosecurity Magazine?