In a story I did a month ago, I looked at research that suggested that distributed denial-of-service (DDoS) attacks were not being taken seriously at all levels of business.
In that research by Neustar, it found that in its survey of 704 businesses, 33 per cent of UK respondents had experienced an attack in the last 12 months and that 70 per cent of attacks lasted a day, while those that had deployed technologies to mitigate attacks had dropped to eight per cent of respondents.
This led me to question: are businesses taking DDoS attacks seriously? With so much coverage in the press about attacks, not to mention the 300Gbps Spamhaus attack in March and the fact that DDoS attacks had standardised at 60Gbps, is this something that should be taken more seriously?
I asked Darren Anstee, solutions architect team manager for Arbor Networks, whether there was a disconnect between people who understand DDoS, and those who know about it.
He said: “There are banks who deal with it but there are others that see a big packet blast that locks up the network, but it is mostly sophisticated stuff. There is a gap from big organisations that still think that a firewall and IPS will deal with the problem, or they rely on a service provider to clean it up so they can deal with it if they have bought the service.”
Speaking at a recent event, John Stratton, president of Verizon Enterprise Solutions, said that looking at mid 2012, attacks were less than 1GB and that can be invested against, but as they have grown 40/50 times in nine months, this is a challenge for companies to evolve their defences and technologies.
“We want to enable businesses to be able to be resilient, to be able to stand up and the danger is if a company that has grown up with the threats will be different from those that face a 40Gbps attack, which will knock them over,” he said.
Speaking to SC Magazine, a public sector IT manager said that they did not really perceive DDoS attacks as a problem, and that their business did not really do anything on top of normal gateway device protection through the firewalls.
“I think this falls into the ‘desirable' rather than the ‘necessary' category. As I'm sure you hear all the time nowadays with the public sector we have to really consider the value of all expenditure,” they said.
I asked Steve Durbin, vice president of sales and marketing at the Information Security Forum (ISF), whether there was much take up within its membership of DDoS protection technologies, or was it much of a concern for the ISF?
He said: “We've seen lots of noise about denial-of-service attacks, particularly as it has been clearly impacting the banks amongst others of late. That has no doubt raised the interest level and focus on what can be done to address these issues.
“I think it's fair to say that the large organisations, while targets, also have the resources in place most times to deal with the fall out, engage on forensics and try to increase their resilience and ability to deal with future attacks. Increasingly, we're seeing SMBs getting caught up in this or specifically being targeted if they form a critical part of the supply chain.
“They often do not have the skill sets or resources in place and so can be more at risk from ransomware attacks, denial-of-service, theft and the like.”
Durbin said that the answer lies with larger organisations, who he said needed to look at their supply chain potential liabilities and weak spots and help the SMBs they engage with.
“They can ensure that they have reasonable resilience and continuity plans in place,” he said.
“Then for us all to increase our levels of collaboration with suppliers, vendors, government bodies and customers since this is something that has the ability to affect us all.”
According to news last week by Prolexic, a vendor of DDoS protection services, it had stopped a 167Gbps attack against a real-time financial exchange platform, the largest single DDoS attack it has mitigated.
Scott Hammack, chief executive officer at Prolexic, said: “It's only a matter of time, possibly by the end of this quarter, before the 200Gbps marker is crossed. To keep pace with increasing attack sizes, Prolexic is continuing to build out its 800Gbps DDoS mitigation infrastructure and by the end of the year; we will have approximately 1.2Tbps of bandwidth on tap.”
The question is, could a business be knocked offline as Stratton suggested, or will they spend vital budget on technology for something that may not happen to them? That is the point of risk management, to understand what your standing is and your potential for being targeted.
With attacks in the 300Gbps range potentially happening again, and the evidence showing that DDoS attacks can use DNS servers rather than botnets, is this a case of when and not if?