DDoS attacks - about more than a flood

Opinion by Dan Raywood

This week featured a new launch of distributed denial of service (DDoS) protection technology, while research revealed the scale of attacks on businesses.

This week featured a new launch of distributed denial of service (DDoS) protection technology, while research revealed the scale of attacks on businesses.

While these new technologies serve a purpose, what struck me about this type of attack is the capability not just to bring down a website or application, but use it to cloak another attack.

According to Joel Reid, regional sales manager for enterprise at Akamai, which launched real-time web security monitoring and attack mitigation technology this week, attacks are being used to introduce SQL or XSS vulnerabilities to harvest data out of the back of the network.

Andrew Miller, chief operating officer at Corero Network Security, which released the research on DDoS attacks, said their distributed nature means that attacks are flood-based, where compromised computers send messages to a website. “Application-layer attacks fly under the radar and look like normal traffic, so we developed technology to spot those requests by identifying good and bad behaviour,” he said.

One example is the attack on ACS:Law, where a DDoS attack led to an encrypted backup file being found, which contained around 1,000 confidential emails. It was uploaded to file-sharing website The Pirate Bay and the list of email addresses of Sky Broadband customers was leaked.

ACS:Law data controller Andrew Crossley was fined £1,000 for failing to keep sensitive personal information relating to around 6,000 people secure, although the Information Commissioner's Office (ICO) admitted that the fine could have been £200,000 if the firm was still trading.

Miller also pointed to the initial attack on Sony, where a DDoS opened the door for a sophisticated attack for credit card details to be taken.

“This was significant for Sony as it suffered a loss of revenue and its cost was in millions of dollars,” he said.

“There is also financial extortion where a company is told ‘pay us X amount of money or we will take you down'; this happened to a customer of ours and they deployed our technology and they were able to thwart the attack. I don't see it going away any time soon, a lot of the time people are reactive but it is in the press every day and they must know what a DDoS is.”

According to research by Kaspersky Lab, the average attack that it prevented in the second half of 2011 was 110 Mbit/sec – an increase of 57 per cent – while the longest DDoS attack in the second half of the year lasted for 80 days, 19 hours, 13 minutes and 5 seconds. This was targeted at a travel website.

It said the HTTP flood remained the most popular type of attack, with 80 per cent of detected attacks in this specific area. It said cyber criminals use several different technologies to conduct this type of attack: in 55 per cent of all HTTP flood attacks, bots try to access a single page of the site; the second most common type (22 per cent) is attacks on various authorisation forms; while the third most common type (12 per cent) is attacks that involve numerous attempts to download a file from the site.

More sophisticated attacks, in which cyber criminals attempt to mask the bots by imitating the behavior of real users, are conducted in only ten per cent of all cases.

It said that the second most common type of DDoS attack, with ten per cent of detections, is the UDP flood. Kaspersky Lab said that the bots conducting these attacks rely on brute force by generating enormous numbers of garbage packets that are relatively small (e.g. 64 bytes in size). The third and fourth most common types of DDoS attack are the SYN flood (eight per cent) and ICMP flood (two per cent).

Speaking to SC Magazine recently, Simwood managing director Simon Woodhead said that with a DDoS attack, it is not bandwidth, but packet per second, that causes a problem.

Asked about what he saw to be the future of such attacks, Woodhead said: “I see it evolving as it is getting more clear and targeted, as it now happens every day. What makes it a DDoS is scale relative to capability. A DDoS as a flood event is a routine thing, it is targeted but it is also random.

“A flood event is a noise but could be defined as a denial of service, and there is no way of quantifying how big it is. These will be more sophisticated, as a flood type is less effective but it is now targeted at specific services. It is low and slow and not on a radar and is used as a cover for information theft. The internet is about services and not just websites.”

The recent Arbor Networks report revealed the first DDoS at IPv6, while the average size of DDoS attacks had fallen from 100GB in 2011 to 60GB.

Bill Cerveny, senior quality assurance engineer at Arbor Networks, said: “This marks a significant milestone in the arms race between attackers and defenders. Network operators are concerned about having sufficient visibility and mitigation capabilities to protect IPv6-enabled properties.

“The good news is that IPv6 deployment has reached a threshold where network engineers have become concerned about attacks on their IPv6 network infrastructure and attackers have found targets on the IPv6-enabled internet worthy of the effort to craft and execute attacks.” 

Previously, SC Magazine looked at some of the technologies available for preventing or mitigating DDoS attacks. Data from Infonetics Research relating to December said the DDoS prevention market was "up 52 per cent compared with 2010".

Jeff Wilson, principal analyst for security at Infonetics Research, said: “Without a doubt, the number-one driver for the DDoS prevention market are the attacks themselves.

“The rise of botnets and easy-to-use tools (like LOIC) for launching attacks means that there are more DDoS attacks pushing greater volumes of traffic, initiated by a wider variety of attackers than ever before.

“As a result, revenue for DDoS prevention appliances is growing fast, particularly in the mobile network segment, which will see the most explosive growth as it rides the compound wave of a transition to IP and data, massive increases in capacity and a new role as a juicy and highly visible target for attacks.”

As Miller said, these attacks are not going to go away soon and the technology exists to deal with such attacks. However, as was said here, these attacks are about more than bringing services down, and viewing DDoS attacks as more than an irritation is a step in the right direction.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events