Back in the wild and wooly pre-bust days of ’98, distributed denial of service attacks (DDoS) knocked the froth off of some very high profile Web sites. Backed by malcode like Trin00 and Stacheldracht, the attacks made headlines everywhere, as online businesses that were the frontrunners of the emerging Internet economy were unexpectedly closed for business while they did battle with the legions of zombie computers slinging packets at them and tying up their systems.
So here we are, approximately eight years later. Trin00 and Stacheldracht have been replaced by much more powerful, multi-purpose successors like Spybot and Gaobot. And the attacks keep coming. The latest Symantec Internet Security Threat Report (March 2006) showed a 51% increase in denial of service attacks. The previous period (January 2005 to June 2005) was characterized by a gaudy 680% growth, as attacks surged from 119 per day to 927 per day. The number for the second half of 2005 now rests at 1,402 per day, most of these being SYN flood-style attacks with forged source IP addresses.
Why are we still seeing so many DDoS attacks today, years after they first emerged on the scene? The simple answer is that they still work in many cases. I’ll leave the technical explanation to others and focus on the “softer” reasons for the continued success of DDoS attacks, even eight years after they leapt into public consciousness.
First, how many companies have a truly effective incident response plan in place? How many test it to stay sharp? How many of them have process and procedures for dealing with a DDoS attack? I’m sure there are some, but I’d be willing to bet good money the answer is “not many.” DDoS attacks often catch organizations unprepared, and scrambling to develop a defense in time to minimize losses.
Second, botnets have exploded in size and it’s more difficult than ever to beat them back. Botnets in the tens of thousands are by no means unusual. Botnets numbering in the hundreds of thousands of compromised computers are not uncommon. The largest recorded is said to have reached 1.5 million. Even a modestly sized “modern” botnet dwarfs the original “zombie” DDoS attackers in size and sophistication.
Third, while botmasters may be entirely focused on managing the zombie herd, IT and network administrators are typically overwhelmed with tasks, even before a DDOS attack comes knocking at their door. When’s the last time you came into work with an empty calendar and nothing to do for the day? It just doesn’t happen in our “do more with less” economy. Dropping everything to combat an unexpected DDoS attack requires administrators to dismiss a throng of unhappy customers and scheduled projects, meanwhile the attacker can focus on their planned assault without the encumbrances of a “normal” occupation.
Attackers have found new motivations beyond digital vandalism and the “straight forward” disruption of Internet services. There is now evidence of the extortion of online services—such as off-shore gambling and online payment services—most often by botmasters. For example, there was an alleged retaliation against StormPay for the freezing of the transactions of 12daily-Pro.com; StormPay was blasted with up to six GB per second in a fairly sophisticated DDoS attack which used DNS amplification to make it harder to block.[1] Beyond extortion and retaliation, you have competitors knocking each other off the Internet: Saad (alias “Jay”) Echouafni falls into this group. He paid $1,000 to Richard Roby of Ohio to launch attacks to knock his competitors offline.[2] Roby pleaded guilty, Echouafni is still on the run. And finally, you have botmaster versus botmaster in the DDOS wars, knocking each other offline in an attempt to grab pole position on victims’ machines. Why scour the Internet for new victims when you can knock another botmaster off their perch and grab their zombies instead?
There’s no silver bullet for solving the DDoS problem. The security community has not sat idly by for the past eight years while the bad guys have been steadily stepping up their game; rather, we’re engaged in a continual chess match where the black pieces move first and typically have more time to contemplate their offensive. Let’s hope that in another eight years the game has changed and the surprising strength of our defenses has put them on their heels, not the other way around.
References
[1] http://news.netcraft.com/archives/2006/02/10/payment_gateway_stormpay_battling_sustained_ddos_attack.html
[2] http://www.fbi.gov/wanted/fugitives/cyber/echouafni_s.htm