A brief history of DDoS… and how to defend yourself and your customers

Davey Winder

That a successful DDoS attack can flood your network, site or service with traffic that can grind it to a halt and effectively take you out of business, is unfortunately an all too well known fact. But how did it all start, and how can managed service providers (MSPs) help in putting a stop to it?

In 1995, an Italian political collective called the Strano Network implemented the now infamous ‘Net Strike’ against various French government websites in protest against nuclear policies. This was the first Distributed Denial of Service (DDoS) attack I can recall hearing about as a veteran IT security journalist. The attack only lasted an hour, partly as Internet connectivity was costly and partly because the attack technology at the time was primitive and required actors to be glued to their terminals.

Within a couple of years that technology had advanced, in great part courtesy of the Electronic Disturbance Theater (EDT) group, which developed its own attack tools in-house. None was more effective than FloodNet, which made targeted DDoS attacks a point and click affair. These ‘sit-ins’, as EDT called their attacks, hit both US and Mexican government sites as the 90s drew to a close.

From activism to hactivism

Fast forward 10 years and Anonymous managed to really exploit the notion of point and click attack technology along with crowd-sourced activism. The weapon of choice that facilitated the success of Anonymous was the Low Orbit Ion Cannon (LOIC). This software essentially connected users, via an easy-to-use interface, to a vast network of computer resources; a botnet. The thing to keep in mind is that this was not a zombie network of malware infected PCs and unaware owners, but rather people volunteering to donate their resources into an attack. A target was chosen, the cannon was pointed at that site, and when the command was given everyone fired…

Hacktivism makes DDoS sound like a legitimate method of protest, but the truth is it’s far more likely to be used for criminal gain. Just look at some of the bigger attacks of recent times, both in terms of the bandwidth used and the media headlines generated, if proof were needed. When The LizardSquad took out both the PlayStation Network and Microsoft’s Xbox Live over the 2014 festive period, it wasn’t for the “lolz” or to make a political point. It was as a marketing tool to get publicity for the “Lizard Stresser” DDoS-for-hire service it was touting on the dark web. Similarly, at the start of this year when New World Hacking claimed responsibility for what was reported as the biggest DDoS attack, by volume of traffic, in the form of a 600Gbps volumetric attack against the BBC, the reason was to show what its ”BangStresser” tool was capable of.

Perhaps understandably, it’s these big downtime attacks that attract the equally big media headlines. There’s an instinctive tendency for reporters to be attracted to the “largest DDoS attack ever”, yet there’s a case to be made that smaller attacks are more worrying. These lower-level attacks, lasting for shorter periods and degrading network performance without closing it down altogether, are most often used as a smokescreen for other malicious activity. The targeted business finds its IT teams distracted with the job of getting the network/site running at full capacity; meanwhile the attackers are exploiting vulnerabilities, installing malware and so on.

Time to get stressed about DDoS?

According to a recent Infosecurity magazine report DDoS attacks were up by 149% year-on-year, and showed a 40% spike in the last quarter of 2015 alone. Not really a great surprise to anyone who has spent any amount of time researching how the bad guys operate, as the availability and low rental cost of “stresser” botnet resources makes it the weapon of choice. And it’s a weapon that causes plenty of collateral damage.

Indeed, according to one recent DDoS Impact Survey, it wasn’t the immediate loss of revenue (34%) that was most damaging to a business, but the ongoing loss of trust (45%) resulting from the attack. Interestingly, that same survey revealed that while 30% were reliant on traditional security defences such as firewalls to defend against DDoS attack, 85% said they thought service providers should be protecting them and half were willing to pay a premium for this protection.

This is good news for managed service providers (MSPs) who are ideally positioned to help combat the DDoS threat. How so? Well defending against DDoS can be an expensive business in as far as getting the right tools and infrastructure in place, but that’s nothing compared to the cost of not having the skillset to properly implement your mitigation efforts when under fire.

Five things to take into account when thinking about DDoS defences  
  1. Some of the routes used to facilitate a successful DDoS attack can be relatively easily mitigated: public servers need to be behind the firewall, the firewall needs to be up to the job and a content delivery network (CDN) can be a lifesaver.
  2. An MSP will bring the expertise that smaller organisations in particular are often lacking when it comes to DDoS mitigation, and that means the ability to not just install but properly manage network monitoring resources that can spot an attack as it starts to approach a specified threshold.
  3. While all organisations are on the radar as far as the DDoS attacker is concerned, those employed in the ecommerce sector with high revenues but low IT staff numbers sit most boldly in the cross hairs. As such, these are ideal customers for the MSP to sell mitigation services to.
  4. Bandwidth buffering might seem like a bad idea, especially when over provisioning anything is going to have an associated budgetary implication; but the implications of not allowing for a bandwidth buffer is a false economy. Anything that can spike your traffic gets absorbed by such a buffer and means that customers don't experience any access problems; if that surge is a malicious one then over provisioning can buy recognition and reaction breathing space.
  5. Compartmentalism is never a bad idea in terms of business continuity planning, especially when thinking about DDoS impact. If your web server hosting is managed off network then should it come under DDoS attack that traffic surge isn't going to impact upon your VoIP or email service for example.

 

Find out more about how to defend against this type of attack and what tools you need to protect your networks by downloading our free Cyber Threat Guide

If you want to know more about more about network attacks in general watch our Security Lead Ian Trump talking about this subject in this video.