A denial of service attack on your business can seem like a hundred thousand angry callers trying to reach your lone corporate land line only to get constant busy signals. Since November 18, 1999, the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon has warned, “We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks.”
Ever since criminals have developed distributed denial of service (DDoS) attacks as tools for their amusement and vanity (2000), extortion and competition (2003), political opposition (2007), hacktivism (2008), and cyber terrorism (2013). But it took major attacks (reportedly exceeding 50 Gbps in volume) against large U.S. financial institutions and an alleged 300 Gbps attack against spam-tracking service Spamhaus to substantially attract attention to the DDoS problem, yet many still are not listening.
The problem is significant, as attacks have grown to sizes that routinely impact telecommunications infrastructure of the largest carriers, threatening the stability of the Internet itself. This threat is so severe and growing at such a rate that the majority of companies and providers of telecommunications infrastructure are unable to entirely defend themselves when targeted by large DDoS attacks. If these companies do not begin rapidly scaling their capabilities immediately, the results could be catastrophic.
DDoS attackers collect hundreds, thousands, or even tens of thousands of generally infected or poorly configured clients and servers, making those servers vulnerable to control or manipulation by attackers who want to make those targets inaccessible on the Internet. For instance, one of the most common high-volume attack vectors is the result of an open DNS resolver, where the attacker takes advantage of an extremely poor configuration on the DNS server to send spoofed packets, resulting in a substantially amplified response to the spoofed source, taking that system or even the entire network offline. The consequences of these attacks are far reaching, and the problem is not isolated to the primary target.
Victims of DDoS attacks include:
- Consumers – Systems and websites that are offline make it more difficult to use the Internet for commerce.
- Companies – Organizations sustain substantial damage to sales and reputation for each minute that a site or network is offline.
- Infrastructure – Providers of Internet infrastructure suffer latency, saturation and outages as malicious traffic saturates peering points and transoceanic cables.
- Government – Law enforcement agencies and militaries spend billions to protect public infrastructure, diverting tax revenue and defense resources.
- Society – Widespread attacks destabilize the Internet, resulting in the potential for cascading economic catastrophes.
Companies and providers of telecommunications infrastructure are best situated to take precautions to deal with the inevitable impact of DDoS attacks. In information security, management systematically evaluates risks of all types and determines the cost of mitigating the risk or the consequence of accepting or ignoring the risk. This allows the manager to determine the return on investment of implementing a DDoS mitigation strategy.
Surprisingly, many organizations choose to ignore the risk or implement mitigation plans that are woefully insufficient. Some have decided that implementing a mitigation strategy “only when it is needed,” is an effective strategy. In reality, this is an incredibly dangerous position that is not worthy of being defined as a “strategy.” There is an ill-conceived school of thought that infrastructure providers can exist without DDoS protection by dropping any customer that is targeted by an attack. Many think that DDoS attacks only hit abusive users, but this is no longer the case. Every company – small or large – is at risk of a debilitating DDoS attack. Few have DDoS protection, placing the future of their companies at risk.
On November 4, 2013 an Internet relay chat (IRC) server company was targeted with a 243.79 Gbps (63.78 million packets per second) DDoS attack. If your company was targeted with this same attack, would you be able to survive? For the majority, the answer is a resounding “no.”
Many enterprises continue to operate on single gigabit capacity infrastructure. This is especially true for those outside of North America or Europe, places where big bandwidth is often scarce and substantially more expensive. For a company that does not have a sufficient DDoS contingency plan in place, here is what one could expect:
- T+0 minutes – The website begins crawling and quickly comes to a complete halt; on-duty staff begin frantically searching for a root cause.
- T+2 minutes – The network comes to a complete halt, all commerce stops, revenue falls, emergency pagers go off, and escalation teams begin crawling out of bed.
- T+20 minutes – Escalation teams are at their desks and begin looking for a way into the Web server and network routers to determine the reason for outage.
- T+45 minutes – An engineer arrives at the data center and consults the edge router; the network is completely saturated. He calls the carrier, but the line is busy due to a flood of emergency calls. Twitter erupts with rumors about why the company is down, and customers begin to panic.
- T+2 hours – The management team is briefed. Everyone is panicking. The company needs a DDoS mitigation solution. The IT team contacts various companies, only to find that the quotes for service are astronomical and require 12-month contracts at inflated emergency rates. The company, under duress, has no choice but to sign.
- T+3 hours – The DDoS mitigation company restores service.
- T+24 hours – Management expected $2 million in sales revenue that day at a 40 percent margin. Losses are estimated at $267,000 in lost profit, $360,000 in overpriced emergency DDoS mitigation services, and $9,000 in engineering time for a total initial loss of $636,000. Damage to the company’s reputation is incalculable. How could a major brand be down for three full hours? Why did the company not prepare in advance?
- T+96 hours – The company drops from #1 to #6 in Google for top keywords, and sales decline by 50 percent.
- T+1 month – The company finally recovers its top Google position. Total damages from the attack are now at $12,636,000.
This scenario represents a best-case scenario, assuming that engineers and management can ascertain the problem and react appropriately in a short period of time. If the company had not acted appropriately, the reputation damage could have been irreparable by the end of the following day.
Today, this type of incident occurs frequently. While many companies are performing risk analysis and taking measures to defend their websites and networks, many continue to swear by the hope-and-pray method or simply resort to the “it’s not in the budget” excuse. As we venture into the future, the Internet will change substantially; it will regress a bit but emerge stronger.
In the future, the cost of e-commerce will increase as a result of substantially higher information security costs while the incidence of successful DDoS attacks will decline. The best prepared companies will survive in the natural selection of information security.
[image via thinkstock]