With a spate of high profile and highly successful DDoS attacks in recent months, there's little doubt that DDoS is a threat to be reckoned with. But who is behind the wheel, and are they driving us towards DDoS Armageddon?
According to the latest Worldwide Infrastructure Security Report from Arbor Networks, DDoS attack sizes are growing (up 20 percent to a peak of 500Gbps) along with attack volumes. Indeed, 51 percent of DDoS targeted organisations reported a complete saturation of their bandwidth, that's a 35 percent rise from 2014.
Which is hardly surprising when there's good money to be made out of DDoS. Ransoms are certainly a potential driver, even if you discard the misreported £1 million demanded of Lincolnshire County Council that turned out, in reality, to be just £500.
When Skyhigh Networks researched this, it discovered a quarter of organisations would pay ransoms to prevent an attack, and in fact 14 percent would pay as much as $1 million.
However, is it the case that this psychology of payment to prevent falling victim, rather than accepting there needs to be adequate investment in technical defences, is a big part of the problem when it comes to DDoS motivation perhaps?
The tools to launch a successful attack are becoming at once both more accessible and more powerful.
Forget DDoS as the realm of the hacktivist first – it seems we may have gone full circle to return to the days of virtual extortion by the organised criminal enterprise.
At least that's what you might think, but is it actually the case? There have been claims that two attacks in particular, on the BBC last year and HSBC last week, were simply testing grounds for attack capacity rather than extortion attempts, smokescreens for other cyber-crime or just for the lulz.
Given that these are huge organisations with plenty of financial resources and technical clout to throw at DDoS attack mitigation, it certainly has raised the bar when it comes to what we can expect.
It has also left us wondering who was doing the testing and for what ultimate payload? Could it be cyber-crime related (maybe as 'marketing' for a DDoS for hire service) or a state-sponsored actor (flexing its muscle) or something else?
"With DDoS techniques ranging from botnets to brute force attack campaigns to low bandwidth, sophisticated application-layer attack mechanisms, the reality is that the motivations for these attacks can be totally random, or purposefully targeted," admits Dave Larson, chief operating officer at Corero.
In conversation with SCMagazineUK.com Larson suggested the motive for the attacks in the case of the BBC and HSBC may well "simply be to prove the capability in order to monetise it by selling it as a service to other individuals or organised crime syndicates".
The bottom line, according to Larson, is that attacks of this size and the ability to utilise them to take virtually any company offline is a reality that anyone with an online presence must prepare for.
However, Jamal Elmellas, technical director at Aurig, thinks it "highly unlikely that an organisation would test such a tool on live systems, particularly one as large and mature as HSBC".
Elmellas told SC that the attack is most likely to have come from one of three sources: "organised crime trying to test the effect on share value or mask data theft; hacktivists, although I think this is less likely; and individuals 'because they can." Of these, his money would be on the organised crime option.
Of course, the organised crime theory is the most plausible but incredibly challenging to leverage. That said, despite the HSBC share value spiking on the day it has dropped to a two week low. So who knows, maybe that was it?
Looking beyond the HSBC attack, the question of who is driving DDoS in general opens up some interesting avenues. "Recent attacks have indicated that some industry sectors whose sole income is transacted via web servers are looking at freezing out the competition during key periods," said John Williams, cyber-security expert at Node4, "orchestrating multiple DDoS attacks at their competitors thus scooping up customers left bereft of their regular providers."
Giles Barford, senior security consultant with ANSecurity, warns that we will likely see "more and more hybrid techniques where people use both slow and low style attacks with volumetric", adding that these will appear as huge numbers of users accessing various different parts of your website which causes high load.
"They will be very difficult to stop as they will be hard to discern from legitimate users," Barford insists. "They will definitely require human intervention to block, as the automated detection tools will struggle with blocking them."
As Williams says, DDoS has evolved to become a more sophisticated disruptive methodology, forming one of the many hacking tools in the kitbag of criminals. "Protecting against such risks has now become a mandatory consideration every business must consider," Williams concludes.
So are we facing a DDoS Armageddon then? Not according to Dave Larson. We put it to him that if an HSBC-sized organisation cannot successfully mitigate against a DDoS attack, can anyone?
Given that the Arbor report claims that three-quarters of service providers can mitigate DDoS attacks in 20 minutes or less, what did HSBC likely do wrong that it should have done better?
"Unfortunately, legacy security defenses are not adequate to defeat this type of cyber attack," Larson told us. "The confirmed DDoS attack and subsequent outage against HSBC's online banking portal further validate this."
Larson reckons organisations must turn to automatic, in-line DDoS mitigation which negates the flood of attack traffic at the Internet edge, eliminating service outages and potential subsequent, and more malicious data breach activity.
"DDoS mitigation should not require human intervention or reactive countermeasures to remove the attack traffic from impacting the target victim," Larson stated. "Twenty minutes from detection to mitigation should not be considered successful."
With automatic mitigation, good user traffic continues to flow uninterrupted, while malicious traffic is dropped without human intervention or reactive countermeasures.
In other words, proactive defence should be the backbone of any DDoS protection plan, regardless of industry and the Armageddon scenario should be easy enough to avoid.Which still leaves us wondering, in that case, why it wasn't for HSBC, the BBC and so many others…