The Truth about DDoS Attacks: Part 1

Distributed Denial of Service (DDoS) attacks are a plague on the Internet. In the last 5 years, the magnitude of DDoS attacks has steadily increased to the point that in a recent NYT interview Matthew Prince from CloudFlare compared DDoS attacks to “nuclear bombs” in their capacity to cause wide-spread damage. While, as the CEO of an Internet security company, Mr. Prince is guilty of some self-interested hyperbole there is no question that the amount of targeted and collateral damage from DDoS attacks continues to escalate. Not just individual websites but major hosting centers and regional Internet services are being compromised by these attacks. At the same time it only takes a small DDoS attack to disrupt the vast majority of websites on the Internet. In this article, we will examine the scope of the DDoS problem and then make suggestions on the best ways of dealing with this threat if you have a business-critical website.

Both the frequency and amplitude of DDoS attacks have risen rapidly in the last five years. Figure A shows the average growth of DDoS attacks as well as the peak size of attacks monitored by Arbor Networks since 2009.¹ Given that 100 Mbps of sustained traffic will grind the vast majority of websites to a halt, today’s average-sized DDoS attack of 1 Gbps (i.e. 100 Mbps x 10) is almost always fatal to its intended target.

Moreover, as an attack grows beyond 100 Mbps the likelihood of collateral damage increases rapidly. Any inbound or outbound attack 100 Mbps or larger is very likely to “sideswipe” other sites sharing hosting infrastructure with the target website. The extent of the collateral damage will depend on the exact nature of the hosting solution and the hosting provider’s system architecture. The more shared and the less distributed the architecture is, the greater the risk of collateral damage. Attacks in the 5 to 10 Gbps range are likely to cause significant collateral damage to all sites hosted in the same datacenter. Attacks in the 50-100 Gbps range are likely to cause serious issues for the world’s largest hosting facilities as well as
regional Internet services.

Major Internet hubs routinely handle Tbps of Internet traffic and, therefore, remain responsive through even the largest attacks. However, even these hubs may be threatened in the future as the peak amplitude of DDoS attacks increases through: the ongoing development of more powerful DDoS tools and techniques; the possibility of a state-sponsored attack; and the global explosion of broadband connected wireless devices which offers a powerful new platform for high-powered DDoS attacks.

It is not just the growing amplitude of DDoS attacks that is concerning but also their increased frequency. For every high profile DDoS attack reported in the mainstream media – such as the recent massive and sustained attack on Spamhaus – there are thousands of DDoS attacks that go unreported every day. For example, between 2009 and 2011 Akamai reported a 2,000% increase in DDoS attacks over its network which handles between 15% and 30% of the Internet’s total traffic.² A newly released study conducted by the Poneman Institute and Radware claimed that as many as 65% of organizations were the victim of at least three DDoS attacks in the past 12 months.³ Some network and hosting providers claim to see hundreds of DDoS attacks per month and these are only the ones big enough to get noticed.

This rise in frequency is mainly due to three factors: 1) the ease by which an effective DDoS attack can be launched. You can download a readily available DDoS tool to do it yourself or contract a “hacker-for-hire” to attack the target of your choice for about $5 to $10 per hour; 2) the emergence of DDoS attacks as a form of political protest; 3) and the continued growth of international
cyber-crime.⁴

DDoS attack vectors tend to fall into one of three broad categories:

1. Volumetric Attacks: These attacks are about causing congestion. They attempt to consume a target’s available hosting resources and are typically executed using botnets to generate a high volume of http/s page requests. Attacks on VoIP and authoritative DNS servers are also popular ways to disrupt service. Recently the magnitude of volumetric DDoS attacks has increased significantly by leveraging the recursive function of tens of thousands of misconfigured DNS servers on the Internet to “amplify” attacks.⁵ This development represents another escalation in the ability of DDoS attacks to cause wide-spread collateral damage.

2. TCP State-Exhaustion Attacks: These attacks attempt to consume the connection state tables that are present in many infrastructure components, such as load balancers, firewalls and the web application servers. Even high-capacity devices capable of maintaining the state of millions of connections can be taken down by these attacks. Since 2011 there has been a rise in this type of attack on datacenter-level devices in an attempt to maximize collateral damage.⁶

3. Application-Layer Attacks: These attacks target a weakness in a particular web application. They are the most sophisticated, stealthy-type of DDoS attacks because they can be very effective without generating abnormal amounts of traffic. This “low and slow” approach makes the attack very difficult to detect using traditional volumetric detection mechanisms. Recently, Kevin Kennedy, Senior Director of Product Management at Juniper Networks, noted in a blog post: “Forget armies of bots, a single PC was enough to generate a small, well targeted attack that took down one of the e-tailers in Europe within 2 minutes. And precisely because it was so small, it was lost in the noise of legitimate user traffic, taking a full day to identify and remediate and putting $10M of sales at risk.”⁷

In a recent survey by Arbor Networks, almost double the number of respondents reported multi-vector DDoS attacks (27% to 46%) in 2012 over 2011. This is a dangerous trend
as multi-vector attacks put additional strain on security resources and requires an expertly managed “defence-in-depth” security strategy and response plan to mitigate effectively.

While collateral damage is rising with the increased amplitude and frequency of DDoS attacks, the scope of DDoS targets also remains broad. Although the favoured targets remain e-commerce and gaming sites, all types of sites are attacked and often for no discernible reason. See Figure C.

At the same time, a strong majority of organizations recognize that any service disruption for any reason would have a significant impact on their business. See Figure D. Taken together, these factors – the increased frequency and amplitude of DDoS attacks, the wide scope of targets, and the increased sensitivity of organizations to DDoS attacks – mean increased business risk for most organizations and a thriving DDoS mitigation industry.

We will now explore how a “defence-in-depth” approach is necessary to protect your business-critical website from both infrastructure and application-level DDoS
attacks. Read part 2 of this article

1 – All graphs used in the article were taken from Arbor Network’s Worldwide Infrastructure Security Report, 2012 Volume VIII

2 – See http://www.circleid.com/posts/20120131_ddos_attacks_increased_by_2000_percent_in_past_3_
years/

3 – See http://www.securitybistro.com/blog/?p=3683

4 – It should be noted that most DDoS attacks are not reported to law enforcement because of a lack of time and resources, low
confidence in the efficacy of law enforcement, and corporate policy.

5 – See http://news.techworld.com/security/3407339/open-dns-resolvers-used-to-amplify-ddos-attacks-hide-original-source/

6 – See http://pages.arbornetworks.com/rs/arbor/images/WISR2012_EN.pdf

7 – See http://forums.juniper.net/t5/Security-Mobility-Now/It-s-Not-Size-But-Sophistication-That-Matters/ba-p/185087