Distributed denial of service (DDoS) attacks have been catapulted to the forefront of the cybersecurity community in recent months since becoming a weapon of choice among hacktivists and vandals. To help IT administrators across sectors gain a better understanding of this quickly evolving threat, analysts from Arbor Networks have released a comprehensive new report detailing the current state and future trajectory of the DDoS landscape.
In their most common form, these attacks essentially involve overwhelming an organization's website with extraneous external communication requests that, in effect, prevent servers from responding to legitimate traffic. This simple but effective tactic has helped cybercrime syndicate Anonymous disrupt websites hosted by PayPal, Citigroup and the FBI, among dozens of other high-profile targets. As Arbor analysts noted, these events have had a proselytizing effect on the hacking community that has led to the rapid escalation and evolution of DDoS attacks.
"What we saw in 2011 was the democratization of DDoS. Any enterprise operating online – which means just about any type and size of organization – can become a target because of who they are, what they sell, who they partner with or for any other real or perceived affiliations," explained Arbor Networks solutions architect and lead report author Roland Dobbins.
"Furthermore, the explosion of inexpensive and readily accessible attack tools is enabling anyone to carry out DDoS attacks. This has profound implications for the threat landscape, risk profile, network architecture and security deployments of Internet operator and Internet-connected enterprises."
One particularly notable trend for network operators to observe has been the marked increase in high-bandwidth DDoS attacks. Of the 114 global service providers surveyed by Arbor analysts, 25 percent indicated that their teams had observed an attack that exceeded the total bandwidth of their data centers – with the highest such occurrence commanding 60 gigabits per second. Report authors were careful to note, however, that even attacks in the vicinity of 10Gbps have been known to take a business offline.
Researchers have also observed an increase in the sophistication of application-layer and multi-vector DDoS attacks. More than 50 percent of survey respondents experienced application-layer attacks on their networks – and approximately 40 percent said that firewall failures were at least partially to blame. Additionally, this year's edition of the Arbor study saw the first-ever reports of IPv6 DDoS in the wild.
The success and evolution of these attacks seem to suggest that Internet security defenses of old are no longer sufficient, but a number of stubborn myths may be clouding the thinking of network administrators. A report released by the emergency response team at application security specialist Radware noted that commonly held perspectives across the cybersecurity community are providing several avenues for DDoS practitioners to exploit.
Among 135 IT professionals polled, three-quarters reported to Radware that their organizations have never experienced an attack greater than 1Gbps in magnitude. Logic would suggest that the larger the attack, the greater the potential damage. But in the case of DDoS, that is not necessarily true. As report authors noted, "a much smaller HTTP flood on the application level may do more damage than a larger [user datagram protocol] flood on the network."
This false sense of security is likely correlating to the failure of organizations to adapt Internet security protocols. One of the largest misconceptions identified by Radware was the assumption that firewalls or intrusion prevention systems are sufficient on their own. In fact, these mechanisms became the source of the DDoS bottleneck in one-third of observed attacks.
There is also a lingering perception that "bend but don't break" strategies are best for mitigating DDoS damage. Conversely, Radware experts advised taking a more offensive stance.
"This changes the rules in which the attacker always has the edge, and instead, levels the playing field," the report stated. "This can be done by identifying the attack tool used as the vehicle to carry the attack campaign and expose and exploit its inherent weaknesses to neutralize the attack tool in a 'passive,' non-intrusive way."
While this proposed resolution strategy sounds simple enough, its execution has been exponentially complicated in recent months as hackers diversify their arsenal.
The low orbit ion cannon (LOIC) DDoS attack tool has garnered the bulk of the attention Internet security experts considering its instrumental role in Anonymous' campaigns. In fact, the group has refined its use of the tactic to such a level in recent months that, according to Dark Reading, it can rope in unwitting participants that click on just one link posted to its Twitter feed.
But according to a complementary analysis conducted by Arbor researcher Curt Wilson, LOIC may be just another face in the crowd at this point. He was able to locate 55 different DDoS tools on his own, although that is likely a limited sample of what is publicly and commercially available to attackers.
"[Varieties included] single user flooding tools, small host booter, shell booters, Remote Access Trojans with flooding capabilities, simple DDoS bots, complex DDoS bots and some commercial DDoS services," Wilson noted. "Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative."
With such great variability in the motivations and tools driving DDoS attacks, no one strategy will keep a business safe from danger. But according to InformationWeek columnist Matthew Schwartz, the way forward must begin with the acknowledgement of one's vulnerability.
Anonymous has provided a blueprint for disgruntled Internet zealots to launch crippling attacks in a surprisingly cost-effective manner. As such, there is no longer an excuse for companies that act surprised when these threats arrive at their doorstep. Like any other potential vulnerability, however, DDoS can be accounted for and addressed with proper planning.
Schwartz suggests that focusing on the theme of resiliency – from network infrastructure through to applications – will serve a company well. Additionally, comprehensive visibility is needed to monitor baseline network activity, detect anomalies and localize performance bottlenecks. Finally, it may be wise to take advantage of having friends in high places. According to Schwartz, close relationships with Internet service providers will help companies resolve crises faster and get operations back online.
Security News from SimplySecurity.com by Trend Micro