We can trace the history of distributed denial of service (DDoS) attacks back at least 14 years. In the final days of the 1990s, the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon warned of a new threat: tools that used distributed technology to create large networks of hosts and launch coordinated packet flooding attacks.
Few paid attention to the warning. Ever since that initial red flag from CERT, we've seen the missions and methods of DDoS attackers mature. DDoS incidents now occur frequently, but companies have failed to do more than perform perfunctory risk analyses, except in the instances in which there is a major political or economic risk (instances which are becoming more frequent as well). Claiming budget pressures, businesses continue to cling to hope-and-pray approaches when it comes to DDoS, rather than deploying effective prevention technology.
Unfortunately, as any student of history knows, if you ignore the past, it will revisit you in the future.
The short, escalating history of DDoS attacks
Since DDoS first cropped up in 1999, attackers' motivations have rapidly evolved:
- 2000: Criminals use DDoS for their own amusement and vanity.
- 2003: Attackers leverage DDoS for extortion and competitive gain.
- 2007: DDoS plays a role in political opposition movements.
- 2008: Hacktivists use DDoS attacks to make idealistic statements.
- 2013: DDoS grows up through the use of new vectors.
- 2014: DDoS becomes a tool for cyberterrorists.
Modern attacks include those against US financial institutions, which have reportedly exceeded 50 Gbps in volume. Earlier this year, an NTP distributed reflection denial of service (DrDoS) attack larger than 400 Gbps prevailed. NTP attacks are a type of DrDoS where an attacker spoofs the target IP address and sends malicious requests for time synchronization to open NTP servers. Large telecommunications carriers are seeing DDoS incidents affect their infrastructures.
Just this summer, Code Spaces, a code hosting service, was forced to permanently close its business after a multifaceted cyberattack – DDoS included – resulted in hackers deleting the majority of the company's data and backups. Even more recently, cyber attackers brought down Sony's online gaming network through a DDoS attack, and grounded a plane carrying the company's president by issuing a bomb threat.
What's it going to take for organizations to recognize the gravity of these attacks and move more decisively on DDoS prevention?
When attacks occur
As these attacks continue, the kinds of victims affected grow, as well. Today's sophisticated DDoS attackers collect as many as tens of thousands of infected or poorly-configured clients and servers. With the ability to control or manipulate those servers and make them inaccessible on the Internet, attackers can take a system or even an entire network offline. The targeted organization might be the primary victim, but it's not the only one. When these sites go down, consumers can't rely on the Internet for commerce, and companies take a hit to their reputations and sales numbers. Internet infrastructure providers suffer latency, saturation and outages as malicious traffic saturates peering points and transoceanic cables.
At the government level, law enforcement agencies and military organizations spend billions of dollars to protect public infrastructure, diverting tax revenue and defense resources from other projects. When hacktivist groups target these political bodies or financial institutions, making aggressive demands to accompany their cyberattacks and acting on extreme impulses, it becomes a matter of national security even beyond that of the initial profit and productivity concerns. In the broadest view of victims, DDoS impacts whole societies, which struggle with destabilized Internet access and the potential for wider economic catastrophe.
Taking precautions to deal with inevitable DDoS attacks
Information security managers routinely evaluate these kinds of risks and determine the potential costs of mitigating them. Surprisingly, many teams still decide to ignore these threats, adopt prevention plans that aren't strong enough to be effective or put off investments until they are attacked. For infrastructure providers in particular, these so-called strategies are particularly dangerous. Too many of these companies erroneously believe that they can protect themselves from DDoS by dropping customers that court attack through abusive behavior. However, debilitating DDoS attacks can affect any company, regardless of its business practices or size.
One need only look at the experience of an Internet relay chat (IRC) company in the fall of 2013.The company was targeted by a 243.79 Gbps (63.78 million packets per second) DDoS attack, an onslaught that few businesses could withstand without a previously-established DDoS prevention plan. Luckily, the company had proactively implemented DDoS mitigation technology, and it was able to quickly clean and send authentic traffic to its network without any outages. Had this IRC waited until it needed DDoS prevention, it might have found it far too expensive – in several ways – to survive the attack.
Consider this typical series of post-DDoS events. A company's website might begin to slow and then quickly come to a complete halt. Within two minutes of an attack's start, the IT team scrambles to determine the cause of its website troubles, commerce on the site ends and revenue begins to fall. In the meantime, escalation teams focus on the Web server and network routers in search of an explanation for the outage, while an engineer goes to the data center to examine the edge router. That's likely the point at which he calls the carrier, but usually without success, since lines go down due to the volume of emergency calls coming in.
In this scenario, customers panic within the first hour of the outage. They share rumors and frustration across social networks. In response, the company's management team makes a move for mitigation services, and finds that emergency rates are heavily inflated. However, they have little choice but to pay. Even if the mitigation company restores service within three hours of the attack, the damage is done. A company in this situation might lose $2 million in revenue during those three hours. At a 40% margin, that three-hour outage costs $267,000 in lost profit and $360,000 in emergency mitigation services. That cost doesn't include staff time or long-term reputation damage, which can be significant.
DDoS attackers have quickly matured in their motivations and their technological prowess, no longer satisfied with fulfilling personal vendettas but now pursuing larger political agendas with more drastic goals. Potential victims need to mature, as well. Companies can't continue to rely on the same non-prevention they clung to in the past. Because moments matter from the very beginning of a DDoS event, organizations need to increase their prevention capabilities before they need them. "It's not in the budget" or "it won't happen to us" are no longer viable reasons for delay.
- Jeffrey Lyon is Co-Founder of Black Lotus Communications