DDoS: the rise from obscurity

2006-10-01

Danny McPherson

Arbor Networks, UK
Editor: Helen Martin

Abstract

'The cost of a DDoS attack can be substantial – they can last hours, weeks and even months, and are capable of bringing unprotected organizations to a grinding halt.' Danny McPherson, Arbor Networks.


Six years ago, a flurry of high-profile news articles and research papers reported on the emergence of DDoS attacks. Research released by Arbor Networks at the end of September revealed that DDoS attacks are the most significant security threat facing ISPs today.

Arbor's Worldwide Infrastructure Security Report, a survey conducted in cooperation with the security operations community of the major ISPs, revealed that 46% of surveyed operators now dedicate more resources to addressing DDoS issues than any other security threat.

Respondents also reported a continued growth in the frequency and magnitude of DDoS attacks. ISPs now regularly experience attacks beyond the capacity of core backbone circuits in the 10–20Gbps range. This trend has been driven globally by a proliferation of broadband Internet connectivity and network convergence.

The rise in DDoS attacks reflects a change in the motivation of cyber criminals – Internet-based threats have taken on a more malevolent and sophisticated nature. DDoS attacks are launched with the sole aim of overwhelming a company's website or server by bombarding them with packets of data, usually in the form of web requests, making the site unavailable to regular users until some fee is paid to the attacker. Unlike single source attacks – which can be stopped relatively easily – the attacker compromises a number of host computers as a command and control infrastructure, which in turn, control thousands of other computers which operate as agents for the assault. These infected host computers ('zombies' or 'bots') flood the victim's website with requests for information – creating a vast and continuous stream of data that overwhelms the target site, thus preventing it from providing normal service.

The cost of a DDoS attack can be substantial – they can last hours, weeks and even months, and are capable of bringing unprotected organizations to a grinding halt. The frequency and size of DDoS attacks is increasing at a dramatic rate. Sixty-four per cent of respondents reported having suffered attacks greater than 4Gbps, and nearly 30% suffered attacks greater than 10Gbps. Yet, despite an average of 40 customer-impacting attacks per month, most attacks go unreported to the police, primarily because there is a widespread belief that such bodies do not have the power or means to assist.

All businesses with an online property must implement the necessary preventative measures to mitigate the threat of a DDoS attack. A comprehensive approach to security must be implemented to combat these attacks. Not only should a multi-layered security strategy be instilled at enterprise level, but companies must also work with their ISPs to ensure that they too have taken preventative measures.

It is essential that companies share information about DDoS attacks if they are to be stopped. Such assaults cannot be fought alone and a collaborative effort is vital. Today this cooperation is achieved through direct back-channel communication between security engineers with interpersonal relationships at different providers, and grassroots efforts by network security vendors such as Arbor Networks' Fingerprint Sharing Alliance (FSA). A number of major ISPs have joined the FSA which enables them to share detailed attack information in real time and block attacks closer to the source. Once an attack has been identified by one company, the other ISPs in the Alliance are sent the 'fingerprint', enabling them to identify and remove infected hosts quickly from the network.

Alliances such as the FSA are helping to break down communication barriers and mark a significant step forward in the fight against cyber criminals. However, it is imperative that the culture of cooperation between providers continues to prevail, as it is vital that ISPs work together to prevent and mitigate DDoS attacks and other bot-related activities. However, as the market becomes increasingly competitive, there is a danger that the ISPs will become less cooperative – a trend that will play into the hands of increasingly sophisticated attackers.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.