Even as distributed denial of service (DDoS) attacks are becoming larger and more complex, the possibility of an attack big enough to take down the entire Internet remains unlikely, security experts say.
The specter of a "DDoS Armageddon" was raised by Arbor Networks earlier this week as part of an analysis of how attacks are bigger and lasting longer. It is possible to have a DDoS attack so large that it could overwhelm the targeted organization as well as all the Internet providers in between, Carlos Morales, a researcher with Arbor Networks, wrote in a blog post recently. There have been plenty of DDoS attacks capable of overwhelming a 10 Gbps data center since 2005, and there have been recent attacks that exceeded 100 Gbps in size, said Morales.
The largest bandwidth attacks measured in 2011 and 2012 were 101.4 Gbps and 100.8 Gbps, respectively, according to anonymous attack statistics collected from Arbor Peakflow SP systems deployed around the world as part of by the Arbor Networks ATLAS system.
"Is there an Armageddon attack on the horizon that threatens to take down the entire Internet? There are indications that this could be the case," Morales wrote.
If several large botnets joined forces to target several organizations in a DDoS attack of approximately 1 Tbps in size, they would overwhelm the organization and also the service providers, Morales said. Even though service providers generally have a lot of bandwidth to soak up attack traffic, "theelre are limits to how much traffic they can handle," Morales said. Attacks of this magnitude could cause bottlenecks in many places simultaneously, leading to a situation where even large tier service providers are unable to handle the traffic.
While a scary prospect, some security experts weren't convinced.
"DDoS Armageddon would require every computer and smartphone on the Internet to be attacking everyone else. This just is not going to happen," Dave Jevans, founder and CTO of Marble Cloud told SecurityWeek.
Getting a botnet big enough to launch a 1 Tbps attack, let alone several of them, would be a challenge. Arbor's Morales estimated that a million-member botnet could generate a 1 Tbps attack provided each compromised host has an average of 1 Mbps upstream access. That math doesn't quite work, because bandwidth addition doesn't work that way, Andy Ellis, CSO of Akamai Technologies, told SecurityWeek.
For example, as users go online on a Sunday night, individual speeds often slow down as the ISP accommodates all their online users. Bots have the same problem as they scale up because they will be contesting their own ISP before they can attack, Ellis said.
The 1 Tbps estimate also assumed that mobile devices would be used in these DDoS attacks, but wide-scale compromise of mobile devices to join a botnet "has not happened to any real extent yet," Jevans said. Sure, it's possible, but they would likely overwhelm the wireless service providers first, Jevans said.
Maintaining a botnet that big is also a challenge. A DDoS Armageddon would need tens of millions of infected machines working together, Jevans said. However, the security community is getting better at isolating command and control servers which control the botnets, he pointed out. Take a C&C down, and that botnet is seriously impaired, requiring the botmaster to start all over again.
Recent DDoS attacks have shown they are capable of taking down even the largest Internet service providers and larger attacks appear to be the trend, Jason Lewis, chief scientist at Lookingglass Cyber Solutions, told SecurityWeek. There is a potential issue where several organizations using the same ISP are attacked at the same time, and the ISP and its upstream provider gets overloaded trying to mitigate multiple attacks simultaneously.
With enough compromised hosts, anything is possible, even the kind of mass-scale attack described by Arbor Networks, but the Internet is designed to be tolerant of problems, Lewis said. Jevans agreed, noting that the Internet has a lot of redundancy built-in. An attacker may be able to seriously impede the operations of a few data centers, but there are ways to mitigate the problems upstream.
"The resources required to shutdown every major ISP probably don’t exist," Lewis said.
Organizations are increasingly worrying about the prospect of DDoS attacks so large and complex they can't defend against them, Morales said. The issue became even more prominent this year, with the wave of DDoS attacks that hit banks and financial services institutions in the United States in September and October. Some of the attacks were over 100 Gbps, and despite having warning the attacks were coming, the institutions all experienced some disruption and downtime.
Size really isn't the issue when it comes to DDoS attacks, Ziv Gadot, a senior security analyst at Radware, told SecurityWeek, and Arbor's Morales acknowledged it in his post. The financial sector attacks weren't just large—they were complex as they had a combination of volumetric and application layer attack traffic. DDoS attacks are increasingly using multiple attack vectors over longer periods of time, Gadot said.
The financial services attacks actually proved that the number of compromised hosts may not be as important as the kind of machines making up the botnet launching the attack. Radware discovered that the banking attacks originated from servers in data centers, not machines on residential or commercial networks. These servers generally have more processing power and more bandwidth, making these attacks more potent than the norm using less bots. The power of five servers is equal to about 100 bot clients, Gadot said.
However, even though the banks were hit by some of the biggest DDoS attacks, ever, this appeared to cause issues only for customers visitors those Websites. "The DDoS was huge for those involved, but the rest of the Internet was mostly unaware," Lewis said.
Akamai's Ellis believes large-scale attacks attempting to shut down sections of the Internet have already happened "in some capacity." Back in 2003, the Slammer worm managed to take out a number of Internet service providers for a weekend. While "the Internet was fine by Monday morning," the attack underscored how a DDoS Armageddon attack may affect providers, Ellis said.
However, it's important to remember that DDoS isn't an "apocalyptic event that destroys infrastructure," Ellis said. Rather, it is a "suppressive tactic," as impacted systems bounce right back to normal operation after the attack ends.
"DDoS attacks are more like traffic jams (and, LA residents' experience notwithstanding, we don't really have Carmageddons) – highly disruptive, but able to be cleared," Ellis said.
Radware's Gadot also noted the bigger an attack, the easier it is for defenders to begin mitigating it.
Even if the technical aspects are possible, security experts agreed that the motivation wasn't really there. While it makes for a great threat (like the one from Anonymous), hacktivists don't really want to shut down their primary means of getting their message heard and criminals their source of income. Even Arbor's Morales thought the attacks would be unlikely, as "it would affect everyone on the Internet and not just a single victim."
"That said, many attacks that didn’t seem likely before are now becoming commonplace as motivations have shifted," Morales added.
While "Armageddon attacks" can theoretically happen, worrying about the possibility of it occurring does not make sense, Mike Lloyd, CTO of RedSeal Networks, told SecurityWeek. Those capable of executing such an attack have enough to lose as they will also be impacted, that the likelihood of an attack does not appear to be imminent, he said.
"It's also possible to build a hydrogen bomb large enough to destroy the earth, but so far, nobody has chosen to do so," Lloyd said.
However, it's important to realize that attackers are well-armed, have powerful weapons, and can reach across the globe to hit anywhere, Lloyd said. As the arms race escalates between the good guys and bad guys, the defenders have to understand their defenses.
Even leaving aside the Armageddon discussion, Arbor makes a valid point in saying that DDoS attacks are serious threats and organizations should be taking them seriously, Lewis said. Attacks are growing in size and attackers are employing new tactics. As soon as defenders figure out a strategy to handle a certain type of attack, the attackers come up with an entirely new method, making defenses obsolete, Lewis said.
Unfortunately, there are millions of compromised hosts on the Internet, so increasingly larger attacks will be a reality for some time until the compromised hosts are dealt with, Lewis said.