I am an optimist by nature, which often makes me a minority amongst many of my colleagues in the security sector. Despite my optimism, I live in fear of a coming Distributed Denial of Service (DDoS) disaster.
In 2011, the Hong Kong Stock Exchange had to suspend trading in well-known companies such as HSBC and Cathay Pacific because their systems were under a massive DDoS attack. Of course, the stock exchange had security experts and mitigation experts and outside consultants, but the DDoS attack stilled the exchange swiftly. Think what can happen to you.
I speak from direct experience. My company manages a significant portion of the domain name system, and operates authoritative directories in dozens of locations around the world. We are no stranger to DDoS attacks. But this awareness of the threat, and the need to prepare against it, has yet to permeate mainstream companies, who exhibit a curious lethargy when I ask about their DDoS preparedness. “Hacking attacks, do you mean?” they ask kindly. “No,” I respond (sometimes a bit sharply), “DDoS attacks – the attacks you will struggle to respond to once it attacks your mission-critical systems. The attacks you don’t see coming until too late.”
In the simplest of terms, DDoS attacks attempt to render individual machines or entire networks unavailable for their intended audience. While methods and motives vary, the attacks are executed by individuals or groups to interrupt (or indefinitely suspend) the services of the attack target.
How DDos Attacks Work
For example, consider the .ORG domain and my company, Afilias, the back-end operator for that domain. One of our primary duties is to ensure that when someone types a URL into a browser – for example, redcross.org – the browser indeed goes to that destination. The data that ensures the URL can find the site’s server is stored in our enormous database that’s propagated and translated instantaneously around the world, so a desktop user in California or an iPad user in Beijing will both end up at the same location when typing the same Web address.
Legitimate URL inquiries and DDoS attacks appear identical at the start: they both request directions to a specific site. The difference is that DDoS requests don’t wait to receive an answer; they incessantly ask for directions, often from many (faked) addresses, while throwing away any answers they receive. This happens hundreds of millions of times in a very short period of time. The result? The server, site or network resource is overwhelmed by this tsunami of legitimate-looking queries, and consequently becomes unavailable for its intended users.
With millions of sites around the world using the .ORG domain, it’s no surprise that .ORG sites are popular – and growing -- DDoS attack targets. In 2011, for example, the number of attacks aimed at .ORG sites increased by a factor of 18. Staying ahead of potential attacks on 10 million .ORG domains worldwide is a huge and expensive challenge.
An Ounce of Prevention is Worth a Pound of Cure
If you’re a network provider, the most effective way to give an ounce of prevention is to educate end users who, despite their comparatively advanced understanding of technology, remain unaware that many the DDoS attacks originate on PCs and other devices that are connected to the Internet at home, in the office or on the go. Once you’ve educated your end users, it should be easier to demonstrate the importance of them authorizing you to take action on their behalf before, during or after an attack.
And these attacks are not the exclusive problem of large, global entities. Far from it.
If you are a user, it’s critical to bear in mind that any and all devices connected to the Internet have the potential to be used as part of a worldwide network of zombie computers (devices that are taken over without the owner’s knowledge). Once a device is hijacked, it becomes part of a global group of computers – often referred to as “botnet” – that can be harnessed to attack at a moment’s notice by joining in the massive request for directions to a particular site.
Since this phenomenon is an occupation of a device rather than an infection, anti-virus software offers no protection. Most ISPs, however, have programs in place that track a device’s activities. Probably the single biggest thing you can do to defend your connected devices is to ensure that your ISP has tracking mechanisms in place for catching DDoS attacks before they happen, and that they can scan your connected devices for botnet kits which can make your device a zombie.
DDoS attacks are now a routine part of attacks on companies of all sizes. Adding mitigation measures as part of your crisis planning and risk mitigation measures is a necessary measure. Failing to plan for a DDoS disaster is like playing with fire.