DDoS Attacks Are Back (and Bigger Than Before)
Distributed denial-of-service (DDoS) attacks are certainly nothing new. Companies have suffered the scourge since the beginning of the digital age. But DDoS seems to be finding its way back into headlines in the past six months, in thanks to some high-profile targets and, experts say, two important changes in the nature of the attacks.
The targets are basically the same -- private companies and government websites. The motive is typically something like extortion or to disrupt the operations of a competing company or an unpopular government. But the ferocity and depth of the attacks have snowballed, thanks in large part to the proliferation of botnets and a shift from targeting ISP connections to aiming legitimate-looking requests at servers themselves.
In fact, said Andy Ellis, CSO of Cambridge, Mass.-based Akamai Technologies, the botnets launching many of today's DDoS attacks are so vast that those controlling them probably lost track of how many hijacked machines they control a long time ago. (Listen to the full interview with Ellis in The Long, Strange Evolution of DDoS Attacks.)
Ellis has been watching the trend from a pretty good vantage point. Many people use Akamai services without even realizing it. The company runs a global platform with thousands of servers customers rely on to do business online. The company currently handles tens of billions of daily Web interactions for such companies as Audi, NBC, and Fujitsu, and organizations like the U.S. Department of Defense and NASDAQ. There's rarely a moment -- if at all -- when an Akamai customer IS NOT under the DDoS gun.
"We see a lot less of the fire-and-forget malware-based attacks designed to bog down the machines that were infected," Ellis said, referring to old-school worm attacks like Blaster, Mydoom and Code Red. "Now the malware is used to hijack machines for botnets and the botnets themselves are used as the weapon."
In the last year, Akamai has seen some of the largest DDoS attacks in recent memory, which Ellis described as "huge attacks of more than 120 gigabytes per second." If you are on the receiving end of that much punch, Ellis said, "It's not a pleasant place to be."
A massive attack last July 4 weekend was a good example of this. In that onslaught, a botnet of some 180,000 hijacked computers hammered U.S. government Web sites and caused headaches for businesses in the U.S. and South Korea. The attack started that Saturday, knocking out websites for the U.S. Federal Trade Commission (FTC) and U.S. Department of Transportation (DOT). US Bancorp, the nation's sixth-largest commercial bank, also took a direct hit. Attackers have also targeted the likes of Google, Yahoo! and Amazon.com. Attacks against Google didn't last long, but when one considers that Google content accounts for about 5 percent of all Internet traffic, the prospect of more sustained attacks affecting some of the Internet's biggest brands is sobering.
Paul Sop, CTO of Prolexic Technologies, has seen the botnet effect on DDoS attacks from his perch, where about 30 engineering staffers spend all their time studying the problem. "We've built an IP Reputation database that tracks non-spoofed IP addresses that attack our customers, and the list now tracks about 4 million infected computers," he said. "What is surprising is how many botnets there are, and how easy it is to build new ones."
Increasingly, he said, his company is seeing layer-7 attacks to HTTP, HTTPS, and DNS services. These attacks don't punish the user's ISP connections. Instead, they punish the servers and are far more difficult to identify and stop, especially as the individual bot behavior becomes less aggressive and tries to act like legitimate user traffic.
Most attacks his team observes can be best classified as competitive sabotage of corporate entities.
"In certain high-stakes markets like online gambling, which is very popular in Asia, there is fierce competition and quite a lot of DDoS," he said. "Politically-motivated attacks are becoming more popular and we've protected many news and media outlets both large and small. Usually it's just a news item that foreign hackers find offensive, but sometimes, as in the case of the Democratic Voice of Burma, the attacks could be said to be more state sponsored, or at least, state approved."
In a just-released report on botnet-generated DDoS attacks, Prolexic noted that attackers are quickly tweaking their botnets to make attack traffic look increasingly similar to legitimate, routine traffic.
"Instead of the huge burst of traffic that marks when an attack begins, traffic will begin to ramp up slowly as bots join the attack at random intervals with each bot varying its attack style, making it increasingly difficult to separate real users from bots," the report said.