The DDoS Explosion Has Only Just Begun
There is a surge of DDoS attacks right now, and the evidence is that onslaught is not going away, warns Tom Brewster
You may have noticed a recent spike in distributed denial of service (DDoS) attacks. Over the past two weeks some big guns have been shot down. The websites of Virgin, TalkTalk, Avaaz and the Serious Organised Crime Agency (SOCA) have all taken a pounding, alongside numerous others.
This surge in activity is not something to scoff at. Whilst hacktivists like Anonymous and LulzSec members showed how potent a weapon DDoS is last year, 2012 will see a significant rise in the number of web servers crippled by traffic overloads. The crest of the wave has not yet reached its peak. Far from it.
That’s largely because of the growth of a free and easy-to-use DDoS tool: the Low Orbit Ion Cannon (LOIC). It has been the Gatling gun of hacktivists’ arsenal since the beginning of their activity. But this year, hundreds and thousands have already added it to their armoury. In 2011, there were 381,976 downloads of LOIC. In just four months in 2012, that figure has been surpassed, according to data from Imperva.
LOIC lunacy
This amounts to 3,432 downloads per day, or 142 downloads every hour. Downloads may have dropped off since 22 April, but Imperva believes that is because of a JavaScript version that was created which requires no download whatsoever. It was this JavaScript LOIC that was responsible for smashing the websites of Brazilian banks in February.
What can LOIC do? This cannon has two separate barrels for different kinds of DDoS hits. It can either flood the network with traffic, or overload an app with too many hits.
The rise in LOIC downloads is startling, but there are other tools that can do an even more effective job of knocking web services offline. The Slowloris piece of software is one of the most insidious weapons, disabling a web server by pushing out continuous partial HTTP requests, keeping as many connections to the target web server open for as long as possible, thereby swamping sockets without needing massive traffic rates. That makes is pretty difficult for IT teams to identify a Slowloris attack.
For businesses, this DDoS wave is serious. If, after a risk assessment, they recognise they are a target, some serious expenditure might be necessary if they want to keep their sites standing. If we look at the case of Avaaz, the company told TechWeekEurope it needed more money to deal with DDoS hits despite having a $1 million IT budget. Avaaz went to specialist DDoS defence firm Arbor Networks to help it out, but also had to bring in web application professionals Croscon to audit its servers.
There are a number of other options on the table for potential victims.
Companies could chuck their website onto a public cloud, such as Amazon. That should be able to handle the traffic, but if a DDoS does hit, it may result in astronomical Infrastructure-as-a-Service (IaaS) costs for no benefit. There’s not a massive amount of proof that putting things in public clouds helps ease the DDoS pain anyway. It’s probably not the wisest route.
It might be a better idea to ask the relevant ISP or hosting company what they can do to help mitigate DDoS disasters, as professional services can make a big difference. Otherwise, you’re looking at hardcore hardware and software that can do serious deep-packet inspection if you’re looking to protect against things like Slowloris.
But the fact is, no matter how much money is spent, DDoS attacks can take down any website if they hit the right spot. Those organisations that do think they are in the crosshairs of Anonymous et al, and know they stand to lose business if their site is brought down, will have to consider their options. Unfortunately, protection from the DDoS onslaught won’t come cheap. Nor will it guarantee websites’ safety.
One can only hope that calls from the likes of the Pirate Bay to end DDoS protest action will have an impact. But when people have weapons, they tend to use them.
Think you know security? Try our quiz!