Preventing DDoS armageddon

Davey Winder ponders how large a DDoS attack would have to be to take down multiple providers, and asks what businesses can do to protect themselves.

A recent blog by Carlos Morales, vice president of global sales engineering and operations at Arbor Networks , discussed the likelihood of a "DDoS Armageddon" attack.

Morales asked how big an attack would have to be to take down even the most prepared service provider, and suggested that Armageddon-style attacks of that magnitude could be on the horizon.

In the post, Morales addressed the metrics – such as how to measure a DDoS attack in bandwidth and packet terms – as well as detailing how Arbor's ATLAS system has seen attacks as high as 101.4 Gbps (bandwidth) and 139.7 Mpps (packets).

Attacks of that magnitude would have a profound effect on the internet as a whole.

It should come as no surprise there have been DDoS attacks capable of overwhelming an average 10 Gbps datacentre for many years now. An Armageddon attack, however, is defined as one that can take down the host target provider, as well as all of the other providers in between.

Morales argued that a 1 million host botnet could theoretically generate a DDoS attack in the region of 1 Tbps.

"Attacks of that magnitude would have a profound effect on the internet as a whole, exploiting bottlenecks in many places simultaneously," Morales said.

"No single service provider, even the largest tier ones, would be able to handle all this traffic without adversely affecting their user base."

But what do other security experts have to say about the likelihood of a

“DDoS Armageddon” and what businesses can do to prepare themselves for this? IT Pro has been finding out.

Expert security

Professor John Walker, chair of London chapter ISACA Security Advisory Group, said DDoS attacks are costing companies dearly, in terms of downtime, operability and ransom payments, if firms decide to try and pay off their attackers.

“During a high value window of operations, even the threat of a DDoS attack will send shivers down the spine of most online trading organisations, with a £30,000 payout [for example] being a drop in the ocean compared to the potential lost revenue,” said Walker.

“For the ill-prepared and unimaginative CISO, the pay-off option may prove to be the most painless, [although] you can be sure to bet on one certainty – once you have traded with criminality – the likelihood is they, or some other like minded group, will add you name to their address book for a future visit.”

Over the last 12 months, the School of Science and Technology at Nottingham Trent University have been running a research project to monitor DDoS attack patterns across the globe, revealed Walker.

“China is considered an aggressor, they also enjoy aggressive focus on their own logical boarders, sustaining high volume attack conditions each and every day,” he said.

"And by inference, it was also evidenced on occasions where some physical events have occurred against a certain area, as with Hurricane Sandy, that the weakened state of a target offers the opportunity to leverage a heightened condition of cyber attacks in the form of a DDoS.

“It has also been noted that, as peak trading periods get closer, there is also a window of opportunity in which to ramp up the levels of DDoS attacks.”

People’s reliance on e-commerce sites and social media have also made many sites legitimate and high-value targets to DDoS attackers, said Walker.

“We have got used to migrating everything online where we are able to make available product, solution or service. However, this route to cost reduction, flexibility, and ease of use, also arrived with the baggage of criminal intent.

While it is in the business interest to enjoy the privilege of delivering online access to the designated client base, there are others who see this as an illicit opportunity to raise revenue, and as such the expectation should be for things to get much, much worse, until they get better.

“And we as the Community of Information Security Professionals need to start to work in a cross-domain imaginative, and collaborative mode to get ourselves back on the front foot," concluded Walker.

Amichai Shulman, chief technology officer and co-founder of Imperva, said the cost of staging an Armageddon-style DDoS attack could put off some would-be protagonists.

However, application layer attacks could become an important tool for hackactivists intent on carrying them out.

“These attacks achieve service interruption of large targets with a far smaller network footprint of volumetric attacks,” explained Shulman.

“Application layer attacks abuse the inherent processing requirements of [an] attacked application in order to disrupt service of normal users.

“These attacks are becoming more prominent and even companies that have better visibility to volumetric attacks rather than application attacks are able to see an increase in [their] usage.”