2006-10-01
Abstract
'The cost of a DDoS attack can be substantial – they can last hours, weeks and even months, and are capable of bringing unprotected organizations to a grinding halt.' Danny McPherson, Arbor Networks.
Copyright © 2006 Virus Bulletin
Six years ago, a flurry of high-profile news articles and research papers reported on the emergence of DDoS attacks. Research released by Arbor Networks at the end of September revealed that DDoS attacks are the most significant security threat facing ISPs today.
Arbor's Worldwide Infrastructure Security Report, a survey conducted in cooperation with the security operations community of the major ISPs, revealed that 46% of surveyed operators now dedicate more resources to addressing DDoS issues than any other security threat.
Respondents also reported a continued growth in the frequency and magnitude of DDoS attacks. ISPs now regularly experience attacks beyond the capacity of core backbone circuits in the 10–20Gbps range. This trend has been driven globally by a proliferation of broadband Internet connectivity and network convergence.
The rise in DDoS attacks reflects a change in the motivation of cyber criminals – Internet-based threats have taken on a more malevolent and sophisticated nature. DDoS attacks are launched with the sole aim of overwhelming a company's website or server by bombarding them with packets of data, usually in the form of web requests, making the site unavailable to regular users until some fee is paid to the attacker. Unlike single source attacks – which can be stopped relatively easily – the attacker compromises a number of host computers as a command and control infrastructure, which in turn, control thousands of other computers which operate as agents for the assault. These infected host computers ('zombies' or 'bots') flood the victim's website with requests for information – creating a vast and continuous stream of data that overwhelms the target site, thus preventing it from providing normal service.
The cost of a DDoS attack can be substantial – they can last hours, weeks and even months, and are capable of bringing unprotected organizations to a grinding halt. The frequency and size of DDoS attacks is increasing at a dramatic rate. Sixty-four per cent of respondents reported having suffered attacks greater than 4Gbps, and nearly 30% suffered attacks greater than 10Gbps. Yet, despite an average of 40 customer-impacting attacks per month, most attacks go unreported to the police, primarily because there is a widespread belief that such bodies do not have the power or means to assist.
All businesses with an online property must implement the necessary preventative measures to mitigate the threat of a DDoS attack. A comprehensive approach to security must be implemented to combat these attacks. Not only should a multi-layered security strategy be instilled at enterprise level, but companies must also work with their ISPs to ensure that they too have taken preventative measures.
It is essential that companies share information about DDoS attacks if they are to be stopped. Such assaults cannot be fought alone and a collaborative effort is vital. Today this cooperation is achieved through direct back-channel communication between security engineers with interpersonal relationships at different providers, and grassroots efforts by network security vendors such as Arbor Networks' Fingerprint Sharing Alliance (FSA). A number of major ISPs have joined the FSA which enables them to share detailed attack information in real time and block attacks closer to the source. Once an attack has been identified by one company, the other ISPs in the Alliance are sent the 'fingerprint', enabling them to identify and remove infected hosts quickly from the network.
Alliances such as the FSA are helping to break down communication barriers and mark a significant step forward in the fight against cyber criminals. However, it is imperative that the culture of cooperation between providers continues to prevail, as it is vital that ISPs work together to prevent and mitigate DDoS attacks and other bot-related activities. However, as the market becomes increasingly competitive, there is a danger that the ISPs will become less cooperative – a trend that will play into the hands of increasingly sophisticated attackers.