DDoS Attacks: Top 10 Trends & Truths

 

Introduction

The Internet powers almost every aspect of business operations today, from websites, email and ecommerce payments to behind-the-scenes data exchanges. During a distributed denial of service (DDoS) attack, the entire enterprise is at risk. Besides crippling sales and productivity and severing ties to suppliers and partners, DDoS attacks fuel doubts about a company’s stability. Blogs light up in minutes, becoming part of the Web’s permanent record. The damage to brand equity can be lasting and incalculable.

This report examines the major DDoS trends of 2011 and what to expect in 2012. Drawing on Neustar’s decade of experience in DDoS mitigation, plus the unique Internet views our enterprise services afford, this report seeks to separate truth from industry myth. 2011 was an eventful year across the DDoS landscape. The insights that follow are meant to help you better prepare for 2012.

What exactly is a DDoS attack? According to the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (USCERT), it’s when an attacker attempts to prevent legitimate users from accessing a computer resource, normally by overwhelming it with malicious traffic. By targeting a company’s Internet-connected infrastructure—its websites, portals, email, databases and more— an attack can block end users from doing business as usual.

In one common scenario, an attacker floods a network connection with tens of gigabits of traffic, creating bottlenecks in firewalls, routers or even the connection itself. When the next request for service tries to come or go, the network connection is clogged. The request is denied. Communication stops.

Another frequent scenario: an attacker floods a target with hundreds of thousands of requests per second. When the receiving server attempts to process them, it quickly becomes overwhelmed and shuts down. Upon the next request, the server is nowhere to be found.

The first DDoS attacks occurred in the late 1990s. By 2000, ecommerce sites were targeted and the business world quickly took notice. It is now widely agreed that attacks occur thousands of times each day and are increasing every year. The damage is considerable and more widespread than many realize. While the obvious harm is immediate—site outages and lost revenues—companies also suffer irreversible effects such as lost customers, negative publicity and tarnished reputations. When customers, partners and shareholders hear you were knocked offline, your brand takes a hit. Research firm Yankee Group estimates that an average mid-size enterprise ($10 million in annual revenue) would lose over $150,000 from just one successful DDoS attack. For a large ecommerce company, losses over 24 hours could number in the millions.

Of course, the business world hasn’t taken all this lying down. Leaders in managing and protecting Internet infrastructure have developed powerful technologies to block DDoS attacks. Over 10 years ago, Neustar® began leading the way.

Neustar: Deep Experience and Unique Views of the DDoS Landscape

In helping businesses stay connected, Neustar is known for providing “the technology behind the technology.” We started with routing and addressing services to telecommunications carriers throughout North America and the world. Today, Neustar’s wide-ranging services help make online business possible: managed DNS, Web performance management, IP intelligence, security threat monitoring and DDoS mitigation. Listed on the New York Stock Exchange (NYSE: NSR), the company is approaching a billion dollars in annual revenues.

Within the world of DDoS protection, Neustar occupies a unique position. Because our full set of services goes far beyond DDoS defense, we have views of the Internet unlike any in the industry. Combined with our 10+ years of DDoS mitigation experience, this lets us aggregate data no other organization has.

Our data sources include:

The diverse equipment we use to mitigate DDoS attacks. By using best-ofbreed hardware from Arbor® Networks, Citrix ® Systems, Juniper® Networks, RioRey®, Cisco Systems® and Hewlett Packard® — and by deploying their devices throughout our global mitigation platform—we are able to mine and analyze data in unique ways.

Neustar’s global DNS platform. This source is invaluable, given that most attacks target DNS as the first step. In fact, DNS often becomes the attack target itself. Neustar operates at all levels of the domain name system, providing authoritative and recursive services to companies of all sizes.

Close relationships with leading Internet security research firms. We supplement our internal information with data from objective third parties. These firms provide us with advanced information on cyber gang activities, plus command-and-control data on botnets, the networks of infected computers that give attacks amplified force.

Direct contact with national and international government agencies helps our customers coordinate investigations during and after attacks. These agencies rely on our extensive IP intelligence databases and share data with us to provide deeper insights into attackers’ activities.

Neustar’s expertise includes our 24/7, on-site Security Operations Center, a team with over 100 years of combined DDoS experience. In the adjoining arena of security threat monitoring, our NeuSentry service alerts businesses to compromised computer systems, route hijacks and other dangers.

In short, the depth of our data and expertise provide the foundation of this report.

Trend #1: Attacks Are Growing in Number—Though the Motives Are Debatable

Neustar agrees with industry reports that DDoS attacks are more frequent, with growth assessments as high as 45%. We also concur that a major culprit is low-cost, freely distributed DDoS attack technologies. Tools such as the low orbit ion cannon (LOIC), a favorite piece of attack software, let anyone with a computer unleash a deadly barrage. For as low as $67 a day you can even rent a botnet. According to InformationWeek, there are now over 50 popular DDoS tools—and the number is growing fast.

However, we don’t support the contention that “hacktivism”—the use of cyber-attacks to make a political or social statement—is now the main motive behind DDoS attacks. The most infamous hacktivists, the cyber-gang Anonymous, has hit governments worldwide and companies like Visa® and MasterCard®. While such attacks grab headlines—which is exactly their purpose—Neustar finds the bulk of attacks still stem from other sources, namely extortionists, cut-throat competitors and others who strike for profit. Industry experts agree that many of these attacks go unreported. After all, no one wants to go public when their systems have been assaulted. Customers flee, sales drop and stock prices follow suit.

Perhaps most media-reported attacks are the work of hacktivists. But those who take aim at your bottom line—in the form of a ransom note threatening your website or a competitor lunging for market share—are still launching the majority of overall attacks.

Trend #2: Sophisticated Attacks Are on the Rise—but So Are Old-SchoolTactics

In the past, DDoS attacks mainly targeted the network layer. In 2011, we saw a notable increase in attacks at the application level as well. These hit Internet-facing applications versus perimeter equipment and network connections; the idea is to exploit weaknesses and sap server resources instead of the network connection. Often going unnoticed, this tactic can be quite effective. For example, using the LOIC tool an attacker can zero in on your website’s login page, overpowering back-end databases with costly CPU queries. The result can be the same as from a larger attack—an outage.

With that mind, brute force network-level attacks haven’t gone away. As noted earlier, the overall number of attacks continues to rise aggressively. Yes, more and more are complex, but many are still primitive. Along with attacks on applications and multi-vector attacks, simpler tactics like UDP flood attacks are doing their part to keep businesses on their toes. In fact, attackers are increasingly using a blend of tactics, mixing both network and application strikes. They seek blind spots in the security architecture, probing relentlessly to try and take you offline.

Our take-away: now more than ever, effective mitigation means diverse mitigation technologies, along with experienced staff who know how to deploy and tune them. In other words, you need to be ready for anything. In 2012 you’ll see another mix of subtly changing tactics and full-frontal assaults.

Trend #3: While Some Types of Attacks Are Down in Size, the Overall Danger Is Growing

In 2011, the largest reported attacks were smaller than the largest in 2010, which saw a few upward of 100Gbps (100,000 megabits per second). However, no one should breathe easier. Network-bandwidth attacks of 10Gbps or more were still 15% of all DDoS incidents Neustar mitigated. More than one out of 10 attacks came with hurricane strength, enough to overwhelm bandwidth and quickly cause an outage.

Equally as disturbing, high packets-per-second (PPS) attacks grew in popularity. Instead of exhausting bandwidth, these drain processing power. To illustrate, DDoS attacks using UDP packets tend to be smaller in size (DNS UDP packets, for instance, are typically limited to 512 bytes). While such attacks take up modest bandwidth, the sheer number of packets can crash your CPU as it attempts to process the blitzkrieg of requests.

We agree with experts who claim that only cloud-based DDoS solutions offer a comprehensive defense. Cloud solutions provide the bandwidth (as measured in Gbps) to absorb today’s massive network layer attacks, plus the technology diversity and processing power to handle application-layer and high packets-per-second strikes. Remember, all onpremise hardware, even the best, has its limits. At some point, the sheer volume of traffic will clog your network connections—before on-premise perimeter equipment even gets involved.

Trend #4: Attacks Are Global in Origin, But Often Hard to Trace

Which countries generate the most attacks? The short list would include China, Ukraine, India and the United States, though reports vary. However, things aren’t always what they seem. Thanks to a rise in spoofed IP addresses—those with IP packets whose sources have been forged—you can’t always be sure where the trouble starts. Without advanced IP technologies, it can be difficult to know an attacker’s actual location. In truth, tracing an attack’s origin doesn’t always contribute substantially to mitigation.

Trend #5: Firewalls & IDS/IPS Devices Are Part of the Problem, Not the Solution

Certain security tools hinder, not help, during DDoS attacks. Neustar finds that deploying firewalls or intrusion detection and prevention systems (IDS/IPS) in front of servers—without a mitigation solution in place—aids the wrong cause. They can quickly become bottlenecks, helping achieve the attacker’s goal of slowing or shutting you down. According to a recent report by the Computer Security Division of the National Institute of Standards and Technology (NIST), “IDPS sensors are susceptible to various types of attacks. Attackers can generate unusually large volumes of traffic, such as distributed denial of service (DDoS) attacks, and anomalous activity (e.g., unusually fragmented packets) to attempt to exhaust resources or cause it to crash.” Erected to defend servers with large volumes of inbound packets, these barriers themselves end up being points of failure.

It’s also important to realize that firewalls won’t repel application-level attacks. To block an attack on a website, for example, a firewall must shut down all HTTP & HTTPS traffic, therefore causing an outage. One problem: firewalls reside too far down the data path. During a DDoS attack, they can’t protect the access link from the ISP to your edge router, leaving these components exposed. Firewalls also lack sufficient anomaly detection. When attackers use valid protocols, firewalls don’t see the ruse. Finally, firewalls don’t do inspection on a packet-bypacket basis to distinguish good traffic from bad. It’s easy for attackers to generate traffic that conforms to a firewall’s policy rules yet elbows legitimate traffic out of the way. During DDoS attacks, firewalls go down faster than the servers they’re meant to protect.

Trend #6: For Many, DNS Continues to Be the Weakest Link

Approximately 10% of all DDoS attacks target DNS. In Neustar’s experience, many organizations lack adequate protection, despite knowing that if their DNS fails the consequences can be disastrous. Everything relying on an Internet connection (websites, email, FTP sites, etc.) will go down as well. If your DNS servers are located onpremise, sharing a network connection with all your other devices and servers, a DDoS attack translates to a complete outage. If you’re on the shared DNS platform of a registrar or hosting company, your risk is just as large. To protect their other customers these vendors will black hole you, turning off service until they decide the danger is over.

To make matters worse, DNS-based attacks are among the hardest to repel. Most organizations are not equipped to block them, a potential problem since these attacks are growing in popularity.

Trend #7: Websites & DNS Are Not the Only DDoS Targets

With so many technologies available to launch DDoS attacks, there’s a tool for every target. Neustar is not only seeing attacks on websites and DNS but also on less defended Internet infrastructure. This includes email servers, APIs, default configurations like SNMP and even VoIP. Imagine no phone service, thanks to a congested Internet connection. Or losing sales because customers couldn’t connect to your API. In protecting against DDoS attacks, you must consider everything connected to the Internet and use a solution that covers all points of exposure.

Trend #8: Most DDoS Protection Solutions Can’t Handle IPv6 Traffic

Remember World IPv6 Day? If you don’t, you’re not alone. It came and it went last year and plenty of companies still aren’t capable of handling IPv6 traffic. (IPv6 is the new version of the Internet Protocol and as such a source of available IP addresses. It supplements its predecessor, IPv4.) Even worse, most DDoS mitigation solutions haven’t made the upgrade either. While attacks that utilize IPv6 still aren’t a mainstream tactic, they did start cropping up in 2011. With IPv6 sure to gain steady if slow acceptance, you’d be wise to make sure your DDoS solution (and DNS) are ready.

Trend #9: While Relatively Rare, Attacks on Encrypted Traffic Can Spell Trouble

Less than 5% of the DDoS attacks Neustar tends to see involve encrypted traffic on the application layer (typically HTTPS-based traffic on port 443). However, traffic is encrypted for a reason—it’s highly valuable—so you must be ready to protect it. Such attacks are harder to mount, which explains why they’re used so sparingly. They generally target the encrypted traffic’s port with GET Flood or POST Flood traffic, which is usually handled by rate limiting or null-routing. The best practice, though, is to perform deep packet inspection at the application level. This process of opening, inspecting and closing packets is complex, but neglecting it can leave your business vulnerable.

Trend #10: Mobile Is Emerging as Part of the Battleground

Last September, Damballa® Labs reported that thousands of compromised Android devices were linked to criminal botnets. During one two-week stretch, 20,000 devices were involved, an eyeopening milestone. When you think about it, though, this shouldn’t come as a surprise. Mobile device infrastructure is expanding fast, essentially creating a second-tier wireless Internet. Speeds are increasing too as 4G services roll out.

As noted by TechCrunch, mobile operators have become “accidental ISPs”. In a few short years, they’ve transformed their businesses from voice carriers into providers of mobile data and video experiences. Unfortunately, mobile-device security hasn’t kept pace. Mobile devices are not only susceptible to malware infections, but can also be used by the bad guys to download free attack tools. That’s right, you can launch a DDoS attack from most smart phones or tablets. Bottom line: mobile devices are starting to magnify the threat.

Conclusions

DDoS attacks and the threats they pose evolved rapidly in 2011. Attacks continued to grow in number, fueled not only by hacktivism but those seeking financial gain. Many attacks became more sophisticated, though many remained basic. An increasing number mixed old and new tactics, attacking at both the network and application layers. While the largest attacks of 2011 were smaller than in 2010, they were still large enough to cause downtime and PR nightmares. Moreover, smaller, more targeted attacks continued to wreak havoc, making a strong case for quality over quantity. While certain countries surely accounted for more than their share of attacks, spoofing makes it difficult to pin down attack origins. Firewalls, DNS and mobile posed vulnerabilities, as did solutions that couldn’t handle IPv6 or encryption.

Looking ahead, 2012 will be another challenging year. Attack tools will evolve. So will attack methodologies. The only thing that won’t change is the importance of the Internet to businesses. DDoS attacks will continue to be a when, not an if.

Neustar SiteProtect: Keeping Businesses Safe from DDoS

To combat the dangers of DDoS, Neustar offers SiteProtect, a cloud-based, on-demand DDoS mitigation service. Activated through DNS or BGP redirection, SiteProtect scrubs away malicious traffic in the cloud, letting valid traffic flow to your infrastructure. To do this, SiteProtect relies on a large global mitigation network, featuring 15 IP Anycasted scrubbing centers.

Using diverse equipment from leading mitigation vendors, SiteProtect is designed to stop numerous types of attacks, including those involving the application layer, IPv6 and encrypted traffic. Technology diversity sets it apart from other mitigation solutions. By drawing on each vendor’s strengths, SiteProtect can stop the sort of multi-faceted assaults that are evolving rapidly and redefining the DDoS landscape.

Backed by Neustar’s 24/7 Security Operations Center—fully manned on-site by highly experienced experts—SiteProtect supplies the assurance businesses need. While it’s best to prepare in advance, Neustar can emergency-provision SiteProtect should your business suddenly come under a DDoS attack.

Download Report