Trends and truths in DDoS attacks

The first point to note is that while hacktivism hits the headlines, it is not according to Neustar the primary motive behind DDoS attacks: “the bulk of attacks still stem from other sources, namely extortionists, cut-throat competitors and others who strike for profit... those who take aim at your bottom line—in the form of a ransom note threatening your website or a competitor lunging for market share—are still launching the majority of overall attacks.”

One problem is that attack technologies are increasingly sophisticated while being cheap and easy to use. Medium sized companies are not likely to have the extensive security defenses of large corporations. A successful attack could cost such companies $150,000 – but a botnet can be hired as an attack tool for just $67 per day. Extortion and attacks against competitors make economic sense.

An additional problem is that medium-sized companies will depend heavily on traditional security defenses such as firewalls and IDS/IPS devices. But Neustar notes that firewalls become part of the problem in a DDoS attack. “They can quickly become bottlenecks, helping achieve the attacker’s goal of slowing or shutting you down... During DDoS attacks, firewalls go down faster than the servers they’re meant to protect.”

The attacks themselves are becoming smaller but more frequent and more advanced. While old-fashioned flood attacks remain popular, focused attacks aimed at overwhelming the processor rather than just blocking the access are increasing. Known as high packets-per-second (PPS) attacks, “the sheer number of packets can crash your CPU as it attempts to process the blitzkrieg of requests.” And it’s not just the traditional website and DNS that is being targeted. Encrypted traffic (because, by definition, it is likely to be valuable to the victim), and the less defended parts of the internet infrastructure such as email servers, APIs, default configurations like SNMP and even VoIP can be attacked. “Imagine no phone service, thanks to a congested Internet connection,” says Neustar. “Or losing sales because customers couldn’t connect to your API.”

Finally, two red flags for the future are raised. Firstly, are defenses able to handle IPv6 traffic? “With IPv6 sure to gain steady if slow acceptance, you’d be wise to make sure your DDoS solution (and DNS) are ready.” And just because the mobile infrastructure hasn’t been much used, it doesn’t mean it won’t. “That’s right,” says Neustar, “you can launch a DDoS attack from most smart phones or tablets. Bottom line: mobile devices are starting to magnify the threat.”

What’s Hot on Infosecurity Magazine?