2012 Annual DDoS Attacks Analysis

 

Were DDoS attacks worse in 2012? What types of DDoS protection are companies using now? Watch Neustar experts Jim Pasquale and Susan Warner break it down. Analyzing Neustar’s recent DDoS Attacks and Impact Survey, they discuss the size, type and cost of attacks, plus the growing risks. View now!

 

Video Transcript

Lenny Liebmann:

Good morning, good afternoon or good evening depending on where you are in the world and welcome to today’s webcast, “DDoS Attacks: 2013 Industry Report on Attacks Released.” This is sponsored by Neustar and broadcasted by InformationWeek, UBM Tech Web and United Business Media, LLC. I’m Lenny Liebmann. I’ll be your moderator today and I’m just going to make a few announcements before we begin. First of all, I want to let you know that we will have a Q&A session and you can participate at any time during this webinar. Simply type your question into that “Ask a Question” area that you see in the presentation window and then make sure you click the “Submit” button.

By the way, at this time we recommend that you disable your popup blockers so you can use all the features of the console. The slides will advance automatically for you throughout the event. You can also download a copy of the slides at any time by clicking on the “Information” button that you see located at there at the bottom of your screen. The webcast is being broadcast through a flex console. This means you have more control over your view and over the webcast tools. You can resize the presentation window by dragging on the windows from the corners. You’ll notice buttons at the bottom of your screen. You can feel free to click on these to open the supporting content and the user tools in different panels.

If you need technical assistance at any time, just submit a question and then you can open the Q&A panel to see any written responses back to you. By the way, we really value your feedback, and to ensure that our webinars continue to improve to meet your needs, make sure you click on the “Feedback” form in the “Information” button. So with that, now onto the presentation, “DDoS Attacks: 2013 Industry Report on Attacks Released.” We have the good fortune to have discussing the topic with us today Susan Warner, who is director of the DDoS product and market solutions for Neustar and Susan has more than two decades of experience in all types of high-tech environments, private and public and big and small.

As market manager for Neustar’s DNS and DDoS solutions, you focus on online performance and security, threat environments, really helping to translate the needs we see in the market into industry-leading products and services. And also Jim Pasquale is here, who is Neustar’s Security Operations Center manager and Jim leads the 24/7 information and security operational engineering teams that are charged with protecting Neustar and its clients against malicious intent. Then he oversees a tactical and strategic initiative for the group, including technology build out and solution development of staffing and support processes as well. And by the way, Jim has a lot of experience. He was the director of global security operations for Verizon’s managed security business. He’s been with IBM Global Services and with Visa International. So we have a couple of really great presenters here and so, without further ado, Susan, you’re going to kick us off.

Susan Warner:

I am. Thank you, Lenny. So, as Lenny mentioned, I am Susan Warner. I am a DDoS product and market professional. I work for Neustar. Neustar is an information and analytics company with a global network infrastructure for print and a cloud-based DDoS mitigation solution. So it’s my job to think about DDoS attacks and impacts every single day. So what I’d like to do to start us off is give a little bit of a background and history about DDoS Attacks and then introduce you to our 2012 annual DDoS Attack and Impact Survey. So the timeline that you’re seeing on your screen right now doesn’t include absolutely everything that’s happened over the last 20 years, just some significant events that I wanted to touch on to help kind of set the stage for the survey that we’ll be talking about later.

So in 1993 we saw the first hacktivist event with the Mexicans At Peace, the National Liberation Army. That quickly moved into our first public cyber-heist in 1994. It was perpetrated by one individual named Vladimir Levin and he was able to steal $10 million from Citibank. In 1996 we saw the hackers packeting for bragging rights and in 2000 was one of the more significant DDoS events that had happened up to that point. There was a 15-year-old Canadian boy who called himself Mafiaboy and he DDoSed and successfully took down these huge Internet sites at the time: Yahoo, Amazon, Dell, CNN, eBay and E-Trade. And he did this by himself because he wanted to. He caused millions – and to some reports, billions – of dollars in financial losses by taking out these websites.

They obviously found him, prosecuted him and today what he does is he is a speaker and a writer on Internet security and has published books on the topic that are ironically for sale on Amazon.com. In 2001 we saw spammers discovered that the botnets and in 2002 was the first registered or documented organized-crime extortion case of DDoSing, and this unfortunately continues today. In 2007 and 2008 these were notable events because DDoS was used as part of a political protest of the nation-state situation and they were used in conjunction with other traditional offences and methods.

Taking out an opponent’s online systems and communication vehicles in situations like the Estonia and the Georgia-Russia conflict is a very powerful tool, indeed, when you think about it that way, when you’ve completely knocked your opponents offline and then you’re moving over into the more traditional. This is the first time that we’ve really seen then used in conjunction like that. In 2011 is really, I want to say, when the volume started to be turned up. There was a Lockheed Martin suspected breach here in the US where sensitive data was supposedly accessed using DDoS as a distraction.

But in 2011 is really when we saw the volume and the size of the attacks start to progressively get larger and larger. The situation with the US banks sort of back in September of 2012 really is when we like to think of it as a tipping point. So these attacks were of a scale and of a size that we had never seen before and reaching 170, 190 gigabits per second. These attacks have lasted for more than eight months. They continue today, but even more significant than the scope and the size of the attacks was a tactic used by the attackers. It was to call out the banks, to say, “We are going to target this bank on this day at this time,” and then they proceeded to do so.

And what that was able to do was extend that impact from just the organization out into the consumer base. There was no way for those banks to be able to say, “We’re experiencing some network issues,” or, “We’re undergoing maintenance.” Because it had been so publicly called out, because the media had picked up on it, now the consumers were aware of it and so they had to say, “Yes. We are under attack,” and it spread that fear, uncertainty and doubt out into the consumer base rather than isolating it to the IT department or the organization that’s experiencing that pain. So it was a very effective tool. Again, it’s something that they continue to use today.

The other incident just to note on this timeline is the Spamhaus attack. A few weeks back – and it was reported to be at 310 gigabits per second and I saw a headline that even said that it broke the Internet – and really it was just an attack that was carried out by a single person who was very vocal and angry with Spamhaus. He used a very effective combination of tools to carry out the attack with spoof sources and open DNS servers to reflect the attack. But he didn’t break the Internet and that wouldn’t have been his goal because, if you think about it, the attackers don’t want to break the Internet. That’s their vehicle. That’s the way that they’re able to access these organizations and to cause the damage that they want to cause.

Just within the last couple of weeks there’s been a new call out. So it’s a group called OpUSA, who’s associated with Anonymous. The Alcazan cyber fighters, the ones who have been calling out the banks and perpetrating these attacks for the last six months – they’re not saying that they’re not associated with this group. But this OpUSA group now has gone online and they’ve said on May 7 we’re going to initiate attacks against US banks. And so whether or not they’re associated, it seems now that the door has been opened, again, for kind of spreading this fear, uncertainty and doubt out into the public; for getting the media attention by posting it and then perpetrating the attacks.

And so now a lot of organizations now are waiting for May 7 to see what’s going to happen and what kind of an impact we’re going to be seeing from these new attacks that will be coming. So, again, the timeline again – not everything that’s happened over the last 20 years, but some very significant events indeed that show the progression from 1993 to present day, where the volume and the intensity of the attacks continue today. Our customers’ demand for a superior online experience makes us vulnerable. So if I can ask you to take off your IT or security hat for just a moment and think about that statement as an online customer, so whether you’re logging into your online game – my husband plays World of Warcraft – or you’re buying something at Amazon or if you’re paying a bill online, you want that experience to be flawless.

You want it to be fast, smooth and intuitive and then as an IT and business professional, we deliver that experience to our customer. And when it’s not there – when a DDoS attack takes that away from the customer it hurts. It hurts our revenues. It hurts our operations and it hurts our reputations and our customers’ confidence in doing business with our companies. And for that reason, DDoS will continue to be an effective tool for online attacks. Anyone can DDoS. We’ve talked about nation-states, coordinated attacks, genius high schoolers pulling out all of these DDoS attacks but the truth is that anyone can DDoS.

If today you went to YouTube and you typed in, “How to DDoS,” you would get this lovely library back of how-to videos. And they would explain to you and show you how to download and what to do and take you through all of those steps that you need to do that; however, if you weren’t feeling particularly motivated you have other options. Again, if you go to YouTube and you type in, “DDoS service,” you’ll get this lovely ad and this one is one of my favorites. It’s Gwapo’s Professional DDoS Service and it’s this very energetic, motivational, persuasive advertisement where they basically walk you through it.

They say, “If you want to take down your competition, if you’re having trouble with someone, we will take down their website.” They go through and they say, “Cost is $5.00 to $50.00 per hour, depending on the site size.” They’ll take down the websites for days, weeks or months. They have years of DDoS attack experience and training in DDoS protection methods. So this really moves that sense of only really brilliant and malicious people or organizations are going to be DDoSing. It kind of moves it from that realm into anyone can DDoS. And with all of this ease of access and the availability of tools to help disrupt a business, it really kind of makes all organizations vulnerable.

So all companies are vulnerable, not just the large high-profile or high-risk industries. If you think about it, anyone with enough angst or motivation, if they left Subway and they were really, really angry with how that sandwich was made, they could go and attack that Subway website and take it down. So really isn’t not just all companies are vulnerable – not just all the big ones, not just all of the big things that we see in the media every day. That’s really what we set out to discover when we went out to the market and we wanted to learn about everyday DDoS. What is the average company and the average industry experiencing? What about the e-commerce site doing $100 million in revenues online?

What about the regional banks, the online publishing companies, the power agencies, the cloud-based CRM companies – not just the big banks, not just the big Spamhaus incidents? So what’s happening with them? And so we went out; this is our second annual survey. In 2011 we did a similar one. It was titled “When Businesses Go Dark” and it really just asks about everyday feed off. What is happening to the average company in the average industry? The results came back. We went out and we polled 704 IT, security and network directors just to understand, again, has the threat of DDoS grown within the average company? What kind of cost are they experiencing as a result of this downtime?

And besides cost, what other impacts are they feeling within the organization internally, externally? And given all of the press and all of the hype that’s been around DDoS attacks lately, are they better prepared to protect their websites and their brands? So we went out and we asked all of these questions. The results that came back: 35 percent of the company said they had experienced a disruptive DDoS attack in the past 12 months. We also wanted to take a look and say, “Okay. By industry, how is that affecting each one?” So we looked at telecommunications, technology, e-commerce, financial and this year for the first time, at the government, and then started to measure those impacts; and they were fairly significant.

In all of the industries technology and telecommunications stayed fairly flat year over year. Financially expected a jump. Like I said, government was new this year but e-commerce is an area where we did see a significant jump and where we were surprised. With all of the coverage and all of the focus around financial institutions, we weren’t looking at retail companies. We weren’t looking at e-commerce companies and what we saw was 144-percent increase year over year, 2011 to 2012 in those industries and anticipated that jump with financial organizations, almost a 40-percent increase. So the financial impacts of attacks – organizations, again, feel better prepared. They’re able to respond a little bit faster, but they are seeing more activity.

Seventy-four percent of the organizations overall said that they would experience over $10,000.00 per hour of downtime. So that would be up to $240,000.00 a day if they were down and that was up 10 percent from the year before. We broke it down again by the industries and these are just some of the results. So in IT, finance and telecomm, the $10,000.00 per hour mark is fairly significant. So when we started to look at the higher end we saw that telecommunications companies – that would be ISPs and hosting providers – were at risk of losing over $100,000.00 per hour, so up to $2.4 million per day because of a DDoS attack, because of an outage.

And to put that into perspective again within the financial industry, because there’s been so much information and so much news about it, CNBC published an article just a few weeks back that said, “Bank website attacks are reaching a new high. Two hundred forty-nine hours offline in the past six weeks.” Six weeks. They were only counting from January into mid-March, and so looking at that time frame they had come back with 249 hours. If DDoS attacks are costing banks an average of $50,000.00 per hour, which is what came back from our survey, you’re looking at almost $12.5 million lost between January and February in the beginning of 2013. So really significant losses and, depending on your business model and the time that you are down from a DDoS attack, it affects different industries and different organizations differently.

But that damage that can be done just from a revenue perspective can add up. It can be very significant. And then we wanted to understand, again, how do costs go beyond just revenues? A lot of organizations just look at their bottom line. They look at the sales. They look at the lost revenues from that and not being able to do their transactions online. But we asked, again, the IT and security directors to look at their groups, look at their teams and say how many of your people get sucked into this activity. How many are engaged for a single mitigation? And 22 percent said it was them and just then, and you have to feel for them being alone in that kind of a situation. But 45 percent said there’s between two and five people that are involved in that mitigation; and then 33 percent said six or more.

Six to 10 is 13 percent and 20 percent said that there were over 10 people involved, again, in a single mitigation. And if you consider what the journey of a DDoS attack entails, where you’ve got that period of doubt, you have to figure what is going on. Then you have to plan for, “Okay. Well, how are we going to stop this? What are we going to do?” Then you have the actual mitigation and then you have your postmortem, and during all of this don’t forget that your phone is ringing off the hook. You’ve got text messages coming in. The management wants to know what’s going on, how much longer, when are you going to be online?

So having to manage that whole life cycle of the DDoS attack really adds up and requires multiple people within the IT organization. So taking it, then, to the next step and saying, “Okay. In terms of a DDoS attack internally, who is feeling the most in terms of increasing your operational costs?” So the IT group, obviously, having to deal with that journey during the DDoS attack, they see a 39-percent increase in their operational costs for a single mitigation. Customer service sees a 27-percent increase, risk management 19 and the call center 15 percent.

When you think about that – again, that’s an increase in their operational costs from a single DDoS attack – customer service and the call center may deal with the ramifications, the fallout from that single DDoS attack for up to seven days longer than the DDoS attack lasts. So even though it only lasted half of a day, the customer-service people have an increase in their call volume, e-mails, online chats for many, many days afterwards. So they’re definitely feeling the pain of that DDoS attack across the organization. It’s not only isolated within the IT group. And how long do attacks last? This is very much in line with the results that we had seen in 2011.

So 63 percent of the respondents said that attacks were lasting for less than a day. So one to two days we had 17 percent; three to seven days, seven percent; and 13 were lasting over 1 week. So, again, depending on the organization, how long it was lasting we were seeing different kinds of impacts. And this, again, is in line I think with what we’ve seen across our networks as well and our customers. Our mitigation window is 72 hours for a reason, and that’s because most attacks really do last between 1 and three days in terms of what you see, and that lines up with what the market is saying as well.

So what form of protection now that DDoS attacks are receiving so much attention now these days? What form of protection are people really using? We saw this as some really good news and some not-so-good news in terms of these results. From 2011 to 2012 we saw a significant drop in the number of companies saying that they had absolutely nothing in place to help them with DDoS attacks. So we went from 25 percent to 8 percent, so that’s the really good news. DDoS-specific hardware and other services and solutions also increased, hardware going from three percent to nine percent and services going from five to seven percent. Really great news that they’re using purpose-built solutions.

The bad news is that firewalls, switches and routers are still and even more heavily being relied upon to help protect against DDoS attacks, and these are not purpose-built solutions. Firewalls, switches and routers are not made to stop a DDoS attack or help prevent a DDoS attack. They’re just not, and so really a lot of companies are thinking that they’re protected but they’re not. So now I’m going to pass it over to Jim Pasquale and he’s going to walk us through just some technicalities around DDoS attacks and then also talk about some of the DDoS attacks that we’ve seen in the sock. So, Jim, you’re on.

Jim Pasquale:

Thank you, Susan. Appreciate the time for everyone joining us today. It’s my pleasure to be here representing the Neustar Security Operations Center. Our specialty is DDoS detection and mitigation and I’ll get into that a little bit. Very compelling data our survey has revealed from the industry and today I want to offer some of the operational perspective around these attacks. Next slide, please. I want to start with a foundational slide for everyone’s benefit. The basic definition of a denial-of-service attack is the attempt to make a computer resource unavailable to its intended users.

As you can see from the picture, gone are the days of the basic attacks and here to stay is the way that these sophisticated attacks are taking place. So if you follow along in the picture, items one two and three where the attacker is going to great lengths to hide their identity, hide the source of the attack and also hide the location of attack – both of those metrics are key to any DDoS attack. So they’re looking to spoof their identity in that sense and they’re also going to find the IRC server where the botnet has infected zombie servers noted in red on the picture.

Those servers are given instructions by the IRC server or the control-and-command server. Those infected machines wake up and they participate in the instructions of the botnet, which is to attack the targets, which are located in boxes seven and eight. So this attack is geared to exhaust the resources at the ISP level, perhaps upstream from the target but also then reaching the targeted website, causing that impact that Susan mentioned, whether it’s financial impact or potentially impact to the brand. We know how powerful those two are for any industry. Next slide, please.

As far as types of attacks and kinds of attacks, here are some that run the continuum of the OSI model. So we handle attacks at all levels – Level 3, Layer 4 and Layer 7 – but here are some notable types of attacks. The thing to note here is not all tools do a job across all of these different types that we see here. So it takes a diverse toolset and what we bring to bear at Neustar for our customers is a diverse set of technology that helps mitigate all of these types of attacks in a very surgical manner so we can preserve the service while stripping off the malicious activity. Next slide, please.

Just to echo what Susan reviewed in this slide – and we certainly have seen this play out from our site-protect service, and we’ll talk about that in a second. But we certainly have seen a large uptick in customers boarding our platform who are customers in the e-commerce space, customers that make their revenue via the web. Obviously, they’re targets and we also know that there’s been a large focus on the financials – the banks and credit unions – and those folks we’ve certainly seen come to us looking for protection. I wanted to call that out. Next slide, please.

I wanted to cover a couple case studies that we had when we worked with our financial-services companies and customers over the last several months. This was the first one that we’ve seen that was DNF-services focused. This lasted three days, but as we know now, the attacks against financial institutions lasted several weeks. But at the time this one was very geographically divers, targeting DNS and lasted several days. Next slide, please.

One other case study I wanted to call out is for a law-enforcement agency that is a customer of ours today. And this was a true punch counter-punch type of attack and it really called the focus on the requirement of dedicated people in your sock that can understand the types of attacks and turn on the appropriate mitigations as the attack vectors change. So this attack was 12 distinct waves over a week and a half. It required a combination of those mitigation strategies I talked about, whether it’s technology or whether it’s the people piece creating crafty mitigation strategies to preserve the service.

And this attack at the time was fairly large but we know these numbers pale in comparison to what we’ve covered earlier and what we see every day in the news. But this attack, from a volumetric perspective, was over 2 gigabits per second and 700,000 packets per second. And when I talk about volumetric attacks, it’s important that you take both of those attributes seriously because there’s the part about filling the pipe, which is the gigabits per second, but there’s also the part about exhausting the purpose-built gear that a lot of folks now have on the other side of the circuit to help mitigate some of these attacks. Next slide, please, and our last case study is again in the financial-services space.

A major attack on targeting the DNS services in this customer lasted more than 12 hours. Again, what’s become commonplace over the last six or eight months – and the trends bear this out – are these multiple changes in attack vectors. It starts with trying to build a pipe. Then it will throw in some different vectors to try to exhaust that purpose-built gear and then while that’s going on they’ll slip in a little bit of the application type of attack. So a multi-pronged approach by the attackers means a multi-pronged strategy by us on the other side of that, fighting those attacks off.

So next slide I want to highlight the people piece, which is always critical when it comes to information security, and here’s a profile of our Security Operations Center here at Neustar. We have the proven capability to block attacks within minutes to minimize losses and to restore service for customers. We are a cloud-based DDoS detection and mitigation service. We have folks working around the clock that can help you day and night and we have that diversity within the toolset to do a very deep and surgical job for you during the time of need. Next slide, please.

This will just depict how the service looks. On the left side of the screen you have those zombie machines waking up, watching that malicious activity towards your website. On the right side what we do in this cloud play of SiteProtect is insert this green cloud called SiteProtect. We route your traffic – all of your traffic – through that cloud. We strip off the malicious traffic and we return to your website the clean traffic or the good traffic. Next slide, please.

We talk about a lot in security the triad of people, process and technology so I want to close with just a couple slides that kind of hammer home these points. The people piece – again, we have the smart folks in our sock day and night doing great work for our customers under attack. We do that with very deep and proven process in the space that allows us to quickly and efficiently mitigate attacks for customers. And, again, I want to highlight the need for a combination of the people and process with the right set of diverse technology to help you do the best job you can for a customer. Next slide.

To reiterate a little bit of what Susan said earlier, while the big attacks are getting the headlines these days, all customers in all sizes of companies are vulnerable to DDoS attacks. We hear it every day. I talk to prospects who are customers every week that highlight that point. The attack size and duration varies; however, it doesn’t take a very large attack to take down most websites and every day DDoS continues to cost companies brand reputation and financial impact to their business. So with all of that said, I’m going to turn it back to Susan to close things out and then we’ll take some questions at the end. Thank you again for the time. Susan, back to you.

Susan Warner:

Thanks, Jim. So the last slide here is just an infographic. Like I said, we just published this survey that we did a few weeks ago and all of the information is available online on Neustar.biz. The infographic really just kind of highlights all of the major points around how long DDoS attacks are taking, the increases that we’re seeing in the size, the protection that’s in place. One of the things that Jim did mention was about the multi-vector attacks, and I failed to include this earlier. So there was a report that recently came out. Gartner is forecasting that 25 percent of all DDoS attacks in 2013 are going to be applications-based and that’s in their report that just came out. It’s “Arming Financial and E-Commerce Services Against Top 2013 Cyberthreats.” So with that increase in the application-based attacks, the multi-vector attacks – they’re switching their tactics while they’re going through it.

Arbor also published a report recently that said that sophisticated, long-lived, multi-vector attacks are up 41 percent from 2011 to 2013. So, again, while these big attacks are getting all of the media attention and really creating all of the buzz and having everyone think, “Oh, my gosh. I have to have this huge amount of bandwidth and all these huge, huge things in place.” Yes, they are a threat. They absolutely are happening within the market but these smaller, sophisticated attacks can do just as much damage and are just as prevalent in the market. So just wanted to make sure that I added that. So at this point I think we’d like to open it up to any questions that anyone has.

Lenny Liebmann:

Great. Thank you so much, guys. You did a great job of presenting a lot of great material really concisely and it was really informative. And, yes, we do want to encourage anybody who’s on here – take advantage of this time. We’ve got plenty of time to take your questions, so please just type them into the “Ask a Question” area there and submit them and we’ll try to get as many of them as possible. So let me start out. I guess maybe, Jim, I’ll ask you this one first.

We’ve talked about multi-vector attacks. Are these kind of the norm or are you seeing more volumetric attacks or application-layer attacks? And maybe you want to go into more specifics since you kind of glossed over that taxonomy of attacks pretty quickly, probably in the interest of time. But now that it’s coming into the question, do you want to give us a little bit of an explanation about that, about those different types and what you’re seeing?

Jim Pasquale:

Yeah. Sure I can. Again, I think this has become a common tactic by the attackers at this point. I think a year ago I would say that this was just a flash in the pan and it was something that was in a trial state, but they have become commonplace. We’re seeing more and more of them every day and every night against our customers. And a lot of them, as I kind of alluded to earlier, they do run across a continuum of attack types. So a lot of them start off a Layer 3 and Layer 4, which would be pretty much the volumetric piece that I talked about: trying to exhaust somebody’s circuit into their web service or trying to exhaust – perhaps they do have an appliance on their perimeter of their data center.

So that’s what I mean by talking about Layer 3 and Layer 4, and then they’ll try to be more stealthy and slip in a little bit of attack traffic, trying to exploit something at the application layer, Layer 7. So, again, it’s that blended approach that really drives customers to have a dedicated presences, whether it’s something they do on their own or something they’re doing with a provider like a Neustar service, like a site-protect service. That type of attack has really driven the need for mitigation and for detection services, in my opinion, so I hope that helps.

Lenny Liebmann:

Great. Yeah. I think you’d probably go into a wealth of detail getting into the nature of the attack, but I think people on the call are probably more interested in the mitigation and protection side. Why don’t you just talk about the good ways – we’re getting a question – sort of is there a good way to avoid or prevent DDoS attacks? So maybe you want to give us a little primer, not just say, “Write a check to Neustar,” but kind of talk about what are the whole set of best practices that would go with this.

Jim Pasquale:

Yeah. There’s certainly some best practices that come to mind. Obviously, protecting your perimeter with the least privileged type of ackels and filters and access-control lists at the perimeter to prevent as much as you can from even coming into your network. That really is key and it stands out to me as the first line of defense. You really need to tighten down those ackels and really make sure that only the traffic that you want to come in and hit your applications or hit your data-center servers is permitted. It sounds like an obvious one, but we talk to customers all the time and we do some consulting in that area where we do review their policies and that one stands out quite often. So I’ll offer that up as the first best practice that I’d talk to.

Lenny Liebmann:

Great, and also, again, we’re talking about kind of about DDoS maybe a little bit out of the context of border security. Maybe you could talk to us a little bit how the use of Neustar’s anti- DDoS solution sort of coordinates, integrates with the rest of our security and risk-mitigation strategies. Are there some synergies? Does it just create another siloed relationship for me to manage? How do I kind of fit this into, obviously, what’s a broader set of concerns in terms of malicious access and malware and everything else I’m defending my environment against?

Jim Pasquale:

Well, the beauty of what we do in the cloud is we are that trusted provider for our customers. So you do have an extension of your security team, so to speak, where you could reach out to us and say, “Hey, this is what I’m seeing on my network,” because the customer knows their network much better than I might or my team might. So we’re looking for feedback. We’re looking for that collaboration, but the beauty of our solution is it is seamless. It does plug in beautifully to what the customer has going on in their own environment.

So it’s a really quick swing of traffic over to the cloud and once you do that you have that trusted presence on the Neustar side who’s going to reach out to you, who’s going to work with you side by side to see the traffic and tell you what we’re seeing in the cloud and tell you what we’re mitigating in the cloud, and then we’ll look at best practices from there. We do a postmortem on every attack we have for a customer. We call out specific items within the traffic and look for ways to harden things going forward. So I hope that helps.

Lenny Liebmann:

Great. By the way, I do want to remind the attendees that we do have the feedback questionnaire. So while we’re going through the Q&A if you could just make sure that you take the opportunity. Give us that feedback. We really do appreciate your input so we can keep on improving the quality and content of these presentations. Here’s an interesting question. Do you have any insight into why these DDoS attacks end? I mean, you talked about sort of one. Some last a very short amount of time even though they obviously have repercussions that last for a few days. Then you talked about one that lasted for three days. I mean, why don’t they just go on and on and on ad infinitum if they’re relatively easy to provision and set up?

Susan Warner:

Yeah. We like to wear that as a badge of honor on the Neustar side because we really think that the attacker just gets fed up with the mitigation that we’re putting forward. So if the attack’s not effective the attacker will try to mix it up. But again, on our side we’re mitigating that and over time I think they just get bored and they’ll just pack it up and go look for an easier target, perhaps. That’s what we speculate on, and again, I think our defense is the reason why.

Lenny Liebmann:

Well, that’s good. Susan, I want to ask you a few of these questions we’re getting about the report itself. Is that okay?

Susan Warner:

Sure.

Lenny Liebmann:

So one thing is you’ve obviously been careful in the case studies. These are anonymized and in the report I’m assuming you don’t say anything specific about which companies are attacked. Can you just talk a little bit about specifically why Neustar doesn’t name customers or publish any real specific information about the specific attacks that you’ve seen?

Susan Warner:

Oh, absolutely. So I mentioned in the beginning that Neustar has a global network infrastructure. We have a DNF network – ultra DNF – and so we started out with DDoS by protecting our own network and then just naturally grew into protecting our customers and grew into this new service with SiteProtect. And we decided early on that we weren’t going to talk about any attacks that we were seeing across our networks or across our customer networks because we felt like it put a target on us and on them unnecessarily. No one really likes to talk about DDoS attacks.

I was just at InfoSec in London and gave a presentation on the survey and I asked everyone in the room if two years ago they had been thinking about DDoS and who, if anyone, had been thinking about it. One person raised their hand and I said, “All right. Great. So how many of you in here have experienced a DDoS attack, and no one raised their hand but I knew that there had to be a few people in there who had experienced a DDoS attack. So it’s just something that people don’t want to talk about and so we don’t talk about it for our customers either.

Lenny Liebmann:

Gotcha. So is that part of the basis of why you feel sure that the customers who you interviewed were honest in their reports? I mean, how do you know if there is some embarrassment and there’s maybe some other issues that they’re perceiving? But you have a pretty high confidence in the honesty also in terms of what the costs associated were with these incidents?

Susan Warner:

Absolutely. You know, we made sure as we were going out with the survey that companies knew that they would not be identified, that there was no way to link any of their information, that it was completely confidential and that really kind of frees them up to offer up this information. I think that everyone within the industry is very interested to hear what’s going on with everyone else, and so with a survey like this they will much more freely give up that information so that they can see kind of where do they sit on the spectrum as well.

Lenny Liebmann:

Yeah. I think there is probably a collective interest in the industry to share some information so that there can be some common learnings here. So we see that too in information when we do our research. Can you give us any information – I’m not sure you did during the presentation – about the size of the companies included in the report? You did show which vertical markets were represented, but I don’t think you said anything about particular distribution of those markets. So can you just give us a little bit of insight there so we have some context for those results?

Susan Warner:

Absolutely. Across all of the industries we say a wide range of the sizes of the organizations in terms of their revenue. Each industry had that wide range. So using financial for, again, as example, we saw a very small regional bank and then we saw one of the very big banks who has been very publicly targeted and knocked offline through these coordinated attacks. So, again, it was this very wide range within each of the industries and so it gave us a nice feel across the board for what was happening.

Lenny Liebmann:

Gotcha. One of our attendees is asking a question, which I think you’ve answered, but it might be good to make it explicit for this particular individual. Part of a public school district that may not be especially large – does somebody like that really need Neustar’s services and can you explain why if you think they do?

Susan Warner:

Did you say a public school district?

Lenny Liebmann:

Yeah.

Susan Warner:

Yeah. I actually have a very specific example for that one. So one of the stories is one of our customers, who has come to us and was telling us why they needed DDoS protection. And it’s an educational institution and basically what was happening was with any kind of online situation where teachers are posting information that students need to access or tests are being posted online. College students now take online courses. When it comes to the day where that assignment’s due or that test needs to be taken, we’ve had customers who have said, “The students are basically DDoSing the sites and knocking them down so that no one can get to it.”

So college students are waking up and saying, “I haven’t studied. I’m going to take down that website and then I can’t take the test. No one can take the test.” And so that actually has been a real-life situation that we’ve seen in terms of some of our customers and what they’ve needed to protect. So, again, it’s hard to even think. Some of the customers that we have that come through, I’m like, “Really? Why would someone DDoS that company?” So it really is kind of this widespread issue across all industries.

Lenny Liebmann:

Gotcha. Do you have any sense, though, generally kind of – I mean, you made the joke about someone who doesn’t like the service they got at a local food establishment and now you’ve given them sort of a specific example of students who are unprepared. Do you have any sense of motivation for these attacks? In other words, to what extent do they have to do with either sort of doctrinal issues against a group or to what extent they have to do with sort of personal resentment or to what percentage they have to do with just it’s fun to do and this is a visible target?

Susan Warner:

Yeah. I mean, you really can’t understand that unless you really find the perpetrator of the attack, right? But if it’s a government organization or if it’s, say, one of these banks that are being specifically targeted it’s very easy to take a guess as to why they’re being targeted. Again, when it comes to – I have to say, one of these – it was like a pastry maker that was DDoSed. I don’t know why. Who would have been DDoSing them? I don’t know. We couldn’t even guess. You really can’t find that out until you find the person or it’s a very transparent reason.

Lenny Liebmann:

Gotcha. So you don’t think it was like Weight Watchers attacking the pastry maker?

Susan Warner:

You know what? That is exactly what I said.

[Laughter]  
Lenny Liebmann:

You have sort of mentioned how the service works but maybe, Jim, you want to take this. Can you just talk about what a customer or a site has to put in place in terms of configuration or equipment in order to take advantage of the Neustar service? What do you have to do to get onboard and get rolling?

Jim Pasquale:

Sure. We have a couple different flavors of provisioning packages that we offer customers. One of them is a DNS proxy service, where a customer essentially changes their DNS ‘A’ record to 0.2, a pre-assigned virtual IP that we will give you during the provisioning process. Once you have that in place you just change your ‘A’ record on your side, you swing over to the cloud and we take care of the rest from there. We also have a GRE or a VGP type of redirection service, which is a little bit more advanced but, again, we have provisioning documents that are well done.

We have a customer service team that’s 24/7 that’s intimate with the service. They walk you through the provisioning document. You have us as the sock, trusted advisor at your fingertips to ping for additional technical guidance and we do it all day and all night. We are here for the customers and make sure that they understand the technical ins and outs of it, but it’s very seamless and it’s very lightweight work on the customer side to make it all fly right.

Lenny Liebmann:

Gotcha. Jim, I’m going to ask you another sort of technical question. How do you guys feel about using – you had talked about sort of firewalls and their ineffectuality. What about honeypots? Is that something that you either recommend or that you actually implement as part of a recommended solution against DDoS?

Jim Pasquale:

Honeypots is a very broad term. We do some good relationships with some vendors in this space that do have their hands on a large set of data on the Internet and what they do with that data is they distill that data down to really where it becomes actionable intelligence. And we’ll take a feed from that, which we know has been distilled and it’s gone through a vetting process and we know that it’s actionable for many of our customers. And we’ll take lists like that that we get and we’ll put those in place within our SiteProtect platform so any customer that we have on the platform benefits from that type of intelligence that we’ll pick up from some of the most reputable vendors in the space.

Lenny Liebmann:

And Susan, I don’t know if you want to take this one or, Jim, if you want to weigh in, but to what extent is it the responsibility of a company’s ISP to kind of provide clean traffic or to somehow do filtering or recognize this stuff so that, at least maybe for some of the most obvious attacks, ISP plays a role in mitigation as well?

Jim Pasquale:

I’ll take that first and then Susan can pile on, but there’s a lot of regulation within that space. So it’s hard to say the quality of the job that’s going to get done there and the timeliness of the job. Obviously, DDoS attacks are hair-on-fire situations and it’s really hard to be reactive and get some timely support from those entities. I’ll leave it at that, but Susan?

Susan Warner:

Yeah, and there’s also situations where the ISP really can’t handle the attack and so what winds up happening – and again, we’ve seen multiple situations like this – what winds up happening is they wind up black-holing you and they’re basically shutting you down until you have some other sort of mitigation help in place. We’ve had multiple situations like that happen. So they’ll do what they can to a certain point, but when it comes to jeopardizing the rest of their customers on their network they’re not going to do it.

Lenny Liebmann:

So I think, Jim, I’m going to ask you this one because, again, it’s a little bit of a technical question. So what happens if the attack sort of reaches a volume of, let’s just say, 6 gigs and you have a one-gig connection. Is there a particular challenge or something that Neustar does to help in that situation? There are pieces of this question, so why don’t we deal with that one first. Is there any relationship between the size of the attack and the existing connectivity that a customer has?

Jim Pasquale:

No, not on the customer side. We’re taking it in the cloud and we have hundreds of gigabits of scrubbing capacity – not only network scrubbing capacity but true scrubbing capacity. There’s a difference there with a large amount of bandwidth that we carry into our scrubbing centers from tier-one providers, but we also back that up with true scrubbing capacity – some of those appliances I talked about and some of the folks that make that purpose-built gear. So we’ve invested in both of those areas, so there’s no concern from the customer side. We’re going to sit in front of that and you’re going to swing right over and we’re going to take you into our platform and you’ll benefit from all of the capacity that we’ve invested in over the years.

Lenny Liebmann:

Gotcha. So does that mean that you are essentially carrier agnostic or are there some cases where the ISP or the carrier that a potential customer or a customer is using affects or inhibits your ability to provide the protection that you provide?

Jim Pasquale:

No. We are vendor agnostic in that regard.

Lenny Liebmann:

Okay. Great. So it sounded like a lot of the discussion was sort of based around or somebody may have assumed that this is based on sort of the attack being on my data center and my on-premise infrastructure. Is there a difference in the way you approach protecting a customer for DDoS attacks or threats that are against their own data centers that they host versus the fact that they may be using some kind of cloud service or whatever as a service provider that something is hosted, and the attack is either directed against that service provider generally or is in fact against their particular piece of that hosted infrastructure? So with more stuff moving to the cloud, does that affect how it is that I would engage with Neustar?

Jim Pasquale:

No, and I think we cover a lot of that in the provisioning document. We ask those specific questions – where folks have their equipment around the world and who are their providers. There’s many times we’ll get on the phone with the customer, their provider – whether it’s a CBN or whether it’s a co-location facility – and we work hand in hand with those folks to make sure the transition is easily done when in need.

Lenny Liebmann:

So I would assume that that would mean that if I engage with you and in today’s sort of very fluid cloud environment that if I changed the provisioning of a service or if I’m doing sort of a hybrid service, where I may be provisioned the base workload in my data center, and then I take a peak and I spike it to a provider, I somehow have to let you know about it so you kind of know where to do the protection?

Jim Pasquale:

Yes. That’s all spelled out in the provisioning, so we’ll take a look at that and make sure that we completely understand your architecture and where you’re deployed around the globe and then we’ll put the appropriate measures in place so the service works like it should.

Lenny Liebmann:

Hey, Susan, I think we might be running towards the top of the hour. So I’m thinking, unless you see anything in the queue that you particularly want to answer, maybe we’ll take these last few minutes and we’ll give you and Jim a final word.

Susan Warner:

Yeah. That would be great. I see that there are a number of questions that we haven’t gotten to as I’m looking through the Q&A portion of the system and I want to let everyone know that if we didn’t get to your question we will follow up with you individually. There are some really great questions in there. So yeah, just in closing I want to thank everyone for their time. This was really great with all the great questions. It’s been fantastic. With all of the really big attacks in the headlines and kind of this sensationalism around DDoS, it’s easy to forget that DDoS happens to companies.

Every company, any size company, any industry. It’s really hard to anticipate. I think one of the questions was around how do I prevent a DDoS attack. There’s really no preventing a DDoS attack. All you can do is have all of your ducks lined up and be ready for that attack so that you can effectively mitigate it and protect your infrastructure. There’s no way to not make yourself a target. Again, the pastry maker had no idea why someone would want to DDoS them. So the reality of DDoS is that every day it affects companies of all sizes and all industries.

Lenny Liebmann:

Great. Jim, anything you want to share in closing?

Jim Pasquale:

Yeah. I would just leave folks with this thought. Preparation is key and the more you can do up front and the more you can work with a proven provider like Neustar, SiteProtect – I think those are questions that everyone needs to put on the top of their priority list. So do the risk assessment of your own environment and reach out to us. There’s plenty of data on the Neustar website and we will be following up with the individuals that have questions out here. There are some great questions on that front as well, so I appreciate the time today as well.

Lenny Liebmann:

Yeah, and I just want to say that the volume of questions we got is really testimony both of the extreme relevance of this issue and really to the quality of the presentation that you guys did, that you were able to sort of stimulate some thought on behalf of our attendees. So I appreciate you doing that and I also appreciate the fact that you will follow up individually with some of these questions that we either didn’t have time for or that are probably more appropriate to discuss offline. So with that I will let our attendees know that for more information relating to this webcast they can visit any of the resource links, which can be opened by clicking on the “Information” icon that’s at the bottom of your screen.

And within the next 24 hours, whether you have an open question with us or not, you will receive a personalized follow-up e-mail with details and a link to today’s presentation on demand, which is a really good idea if you want to share this information with a peer or with somebody who writes checks. And with that, I’ll thank you for attending today’s presentation, “DDoS Attacks: 2013 Industry Report on Attacks Released,” which was brought to you by Neustar and broadcast by InformationWeek.

I do have to tell you that this webcast is copyright 2013 by United Business Media, LLC; that the presentation materials are owned by or copyrighted, if that is the case, by InformationWeek and Neustar, who are solely responsible for their content; and also that the individual speakers today are solely responsible for their content and for their opinions. So on behalf of our guests today, Susan Warner and Jim Pasquale, I’m Lenny Liebmann. Thank you so much for your time and have a great day.