The truth about the DDoS threat, the elephant in the room

Recently TechEye was hit by a particularly nasty distributed denial of service (DDoS) attack. At first we, deluded as always, thought our servers were getting a thumping from Slashdot. The attackers will be happy to know that it took us time, effort and yes, dosh, to scramble around trying to fix it. WebScreen, which as far as we are aware is the only outfit offering thorough DDoS protection in the UK, jumped to our rescue. Thank you WebScreen. Anyway – TechEye decided it would be a good idea to have a chat with Paul Bristow, Chief Operating Officer.

It’s such a hot topic at the moment. Anonymous is taking down legal firms by way of DDoS attacks who don’t quite “get it”. Nationally, Cameron is planning to spend a billion on cyber “defence” and internationally, the US’ homeland security has announced a computing cold war’s on the cards.

But let’s start in more humble territory. Despite the high profile nature of DDoS, why on earth isn’t there more protection offered, by ISPs or by data centres? Why doesn’t it come as standard? Could it be that these companies don’t give a hoot about adequate protection against a threat that’s relatively easy to pull off and potentially very damaging unless there’s a way to spin money from it?

Bristow tells us that bar none, the easiest people to sell to are those that are already under attack or have been under attack. Normally, people think they don’t need to spend that money if they don’t have to – it’s another business cost most think is optional, until it happens. The reason you don’t see DDOS as part of every day discussion, unlike for example firewalls and password protection, encryption and data security, is that it’s not… sexy.

Its advent was in 2000. That’s a very long time if you consider how wide open an attack leaves you.

Commentators would have you believe that denial of service attacks peaked around 2005 but that is factually nonsensical – remember when it was alleged that agents in North Korea DDoS’d their capitalist neighbours in the south, just last July? And social network staples Twitter and Facebook were both taken down in August by DDoS attacks. These aren’t small businesses – Facebook is widely reported to use some of the largest data centres in the world.

The threats are out there and that’s because it’s such an easily accessible route to take. In fact, Bristow tells us, consider that you are a start-up. You have a marketing budget and you’re a small business – we don’t mean tiny, but up to $15 million. Theoretically you could spend a good chunk of it on a TV campaign or for a great deal less you could seek the services of someone who’ll coordinate a DDoS attack for you.

They exist and they’re everywhere – but they tend to operate locally. So if you’re a company in the UK, it is possible to look to your own back garden and for the right price, relatively cheaply, there is someone who can carry out an attack for you. Bristow tells us that this is undoubtedly happening. Backing it up is that calls tend to come in threes – recently three jewellery retailers independently got in touch with Webscreen within days of each other. 

And there’s no protection from an ISP. A company or business under attack must convince their ISP to restore them after they’ve been taken down, all while losing money from being taken offline. The way the ISP thinks is essentially “you’ve got your traffic and used your bandwidth,” it doesn’t matter to them whether it has all happened in the space of thousands of access requests a second. “There is no doubt about that,” WebScreen says.

“All DDoS attacks in the early days were from organised crime to put rivals in online gaming or pornography out of business, or to extort money,” Bristow tells TechEye “but the whole thing has moved on now.”

There are websites you can go onto where you provide your credit card details and that will let you hire a botnet for an hour. It’s fact, says Webscreen, that you can even take a three minute try before you buy – just to show you that it works. These services play in their own back yard, employing the capabilities of attackers in the places you’d expect – China, Russia, India. But the services themselves are sold to target local businesses.

The technical capabilities of the attackers are second to none and “almost impossible” to block  unless you have a very tightly defined geographic audience – no matter where the attacks come from, they will continue to shift locations.

More worryingly Webscreen tells TechEye that with the incredible presence of news media online, some companies are seeing DDoS attacks as a “crude alternative” to filing expensive writs through the proper legal channels.

And people in the professional games space are getting whacked by competitors too. As long as you can figure out the IP details of a rival it’s fully possible to take them out before an important competition or online event. And it’s happening. “80 or 90 percent of these attacks go unreported,” Bristow says, “No one we have worked with has publicly reported anything.” There are people who work in the online gaming industry who have been taken offline for the most important weeks of their calendar years. And it’s fact that they have lost huge profits. Not turnovers, but profits.

The reason for the lack of reports is it’s like “a red rag to a bull”. If you announce to your competitors that are getting attacked it’s a window of opportunity and you are announcing a weakness. It brings us onto another topic: socio-political attacks.

With the ease of connectivity and success, as well as wide reach, of social networks, if you can gather enough people with a common ideal – whatever that may be. A good recent example is, of course, Anonymous.

Anonymous realised that together it has the means to be a thorn in the side of the bullish recording industry and its legal agents. If you can rouse enough people to be passionate on a single topic you can pose a real threat to the unprotected. Remember again how difficult it is to trace a DDoS. They rarely result in prosecution because they demand an awful lot of resources and money – one exception to the rule is DDoS attacks on the Scientology website, which ended up with fines and someone being thrown in the clink.

To conclude, then, the DDoS threat is being widely ignored. New derivatives are being developed and cooked up all the time, for example the latest, which is called slow and low – it crashes back end servers which is a very tough technique to combat. It has been evolving for ten years. Social networking gives it a whole new dimension. Governments are starting to wise up – but that’s worrying news for a different article. 

“Statistically, DDoS is the elephant in the room. Attacks are increasing in number, power and sophistication, and there is an increase in new derivatives and social political attacks,” Webscreen tells us. 

WebScreen really saved our bacon, so we’re more than happy to tell you that the technology intelligently understands traffic flows and controls them on the way to a website – you can see everything coming in, or out, and it gives you the ability to tune your network. It’s the first company in the world to offer a commercially available anti-DDOS system, and is the only British and European provider. Paul Bristow tells us he thinks WebScreen is “at the forefront of research”.