As DDoS attacks mature, hope-and-pray prevention proves obsolete

The old methods just don't work

We can trace the history of distributed denial of service (DDoS) attacks back at least 14 years. In the final days of the 1990s, the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon warned of a new threat: tools that used distributed technology to create large networks of hosts and launch coordinated packet flooding attacks.

Few paid attention to the warning. Ever since that initial red flag from CERT, we've seen the missions and methods of DDoS attackers mature. DDoS incidents now occur frequently, but companies have failed to do more than perform perfunctory risk analyses, except in the instances in which there is a major political or economic risk (instances which are becoming more frequent as well). Claiming budget pressures, businesses continue to cling to hope-and-pray approaches when it comes to DDoS, rather than deploying effective prevention technology.

Unfortunately, as any student of history knows, if you ignore the past, it will revisit you in the future.

The short, escalating history of DDoS attacks

Since DDoS first cropped up in 1999, attackers' motivations have rapidly evolved:

  • 2000: Criminals use DDoS for their own amusement and vanity.
  • 2003: Attackers leverage DDoS for extortion and competitive gain.
  • 2007: DDoS plays a role in political opposition movements.
  • 2008: Hacktivists use DDoS attacks to make idealistic statements.
  • 2013: DDoS grows up through the use of new vectors.
  • 2014: DDoS becomes a tool for cyberterrorists.

Modern attacks include those against US financial institutions, which have reportedly exceeded 50 Gbps in volume. Earlier this year, an NTP distributed reflection denial of service (DrDoS) attack larger than 400 Gbps prevailed. NTP attacks are a type of DrDoS where an attacker spoofs the target IP address and sends malicious requests for time synchronization to open NTP servers. Large telecommunications carriers are seeing DDoS incidents affect their infrastructures.

Just this summer, Code Spaces, a code hosting service, was forced to permanently close its business after a multifaceted cyberattack – DDoS included – resulted in hackers deleting the majority of the company's data and backups. Even more recently, cyber attackers brought down Sony's online gaming network through a DDoS attack, and grounded a plane carrying the company's president by issuing a bomb threat.

What's it going to take for organizations to recognize the gravity of these attacks and move more decisively on DDoS prevention?

When attacks occur

As these attacks continue, the kinds of victims affected grow, as well. Today's sophisticated DDoS attackers collect as many as tens of thousands of infected or poorly-configured clients and servers. With the ability to control or manipulate those servers and make them inaccessible on the Internet, attackers can take a system or even an entire network offline. The targeted organization might be the primary victim, but it's not the only one. When these sites go down, consumers can't rely on the Internet for commerce, and companies take a hit to their reputations and sales numbers. Internet infrastructure providers suffer latency, saturation and outages as malicious traffic saturates peering points and transoceanic cables.

At the government level, law enforcement agencies and military organizations spend billions of dollars to protect public infrastructure, diverting tax revenue and defense resources from other projects. When hacktivist groups target these political bodies or financial institutions, making aggressive demands to accompany their cyberattacks and acting on extreme impulses, it becomes a matter of national security even beyond that of the initial profit and productivity concerns. In the broadest view of victims, DDoS impacts whole societies, which struggle with destabilized Internet access and the potential for wider economic catastrophe.

Taking precautions to deal with inevitable DDoS attacks

Information security managers routinely evaluate these kinds of risks and determine the potential costs of mitigating them. Surprisingly, many teams still decide to ignore these threats, adopt prevention plans that aren't strong enough to be effective or put off investments until they are attacked. For infrastructure providers in particular, these so-called strategies are particularly dangerous. Too many of these companies erroneously believe that they can protect themselves from DDoS by dropping customers that court attack through abusive behavior. However, debilitating DDoS attacks can affect any company, regardless of its business practices or size.