This Industry Perspective was written by Xuhua Bao, Hai Hong and Zhihua Cao of NSFOCUS.
Part one of this two-part series discusses the serious nature of DDoS attacks and introduces some of the many assumptions that could leave networks vulnerable to attack.
DDoS attacks are on the rise and so too are efforts to defeat them. Analysts forecast the global DDoS prevention market to grow at a rate of 19.6 percent from 2013-2018. This market increase suggests that DDoS attacks are more than just irritating. People in the know understand that these attacks not only cause disruption but can cause damage and tarnish reputations as well.
However, many still don’t understand how these attacks operate, and this ignorance can cost them. In the discussion following, we outline several erroneous beliefs about DDoS attacks that data centers, ISPs and enterprises should become familiar with.
Error #1: Botnets Are the Source of All DDoS Attacks
This is a commonly held belief but, in fact, not all attacks are carried out by botnets composed of personal computers that have been hijacked by hackers. As technology has advanced, the processing performance and bandwidth of high-performance servers used by service providers have rapidly increased. Correspondingly, the development and use of traditional botnets composed of PCs have slowed.
Besides the processing capability factor, PCs normally have very limited bandwidth resources, and their in-use periods fluctuate. Therefore, some hackers have begun to look to high-performance servers like those used during Operation Ababil’s attacks on U.S. banks. In addition, attacks are not always carried out by commandeering sources; the hacking group Anonymous prefers to launch attacks using large numbers of real participants. We call this a “voluntary botnet.”
Error #2: Hackers Launch DDoS Attacks to Consume Bandwidth
In fact, DDoS attacks can also be designed to consume system and application resources as well. Thus, the size of the attack traffic is only one of several aspects that determine the severity of an attack. Sometimes, people mistakenly assume that SYN flood attacks are a type of DDoS attack that targets network bandwidth resources. In fact, the primary threat posed by SYN flood attacks is their consumption of connection table resources. Even with exactly the same level of attack traffic, a SYN flood attack is more dangerous than a UDP flood attack.
Error #3: DDoS Attacks Come in One Speed: Rapid
UDP flood attacks, SYN flood-type attacks, RST flood-type attacks - when DDoS attacks are mentioned, these are what most people think of. They therefore assume that all DDoS attacks are flood-type attacks. In fact, although these types of attacks account for a large proportion of DDoS attacks, not all attacks are flood-type.
Aside from flood-type attacks, there are also low-and-slow attack methods. We define the essential nature of a DDoS attack as an attack that consumes a large number of resources or occupies them for a long period of time in order to deny services to other users. Flood-type attacks are used to quickly consume a large number of resources by rapidly sending a large amount of data and requests to the target.
In contrast to the flood-type attacks’ “hare,” the low-and-slow attacks are more tortoise-like in their approach. They slowly but persistently send requests to the target and thus occupy resources for a long time. This activity eats away at the target’s resources bit by bit. If we view a DDoS attack as an assassination, a flood-type attack is like an assassin that uses a machine gun to take out his target at close range. A low-and-slow attack offers its target a death by a thousand cuts.
Error #4: If You’re Not a Big-Name Brand, Hackers Won’t Bother Attacking You
The assumption goes like this: my website is small, so I don’t need to worry about DDoS attacks. However, if you operate a website, even if you derive little income from it or engage in non-profit activities, you’ll get no comfort from these wrong-headed ideas: “There are so many websites, and most are more famous than mine – a hacker wouldn’t waste their time on me” or “Our operation is just now gaining momentum, but we still don’t make much money and we are not offending anyone – there’s no reason a hacker would choose to attack us.”
The truth is that these days, any site can be considered fair game. When cybercriminals are choosing extortion targets, they know that attacks on major websites may be more profitable, but at the same time the costs and risks are usually also greater. However, with smaller sites, their defenses are generally weaker and an attack is more likely to succeed. Furthermore, competition is one of the major reasons that spur DDoS attacks. Newcomer businesses may attack established businesses in order to steal away customers, and established businesses may attack newcomers to remove any potential threat they may pose. Malicious retaliatory attacks might not be concerned with size and scale; they may just want to prove a point.
Error #5: Only Hackers Have the Know-How to Launch DDoS Attacks
At present, most hackers specialize in a certain area. Some specialize in discovering vulnerabilities, some develop tools, some are responsible for system intrusion and some are adept at processing account information. For DDoS attacks, some hackers create and maintain so-called “attack networks.” Some of them exploit botnets and some take over high-performance servers. After assembling their attack capability, they rent out their resources to a customer. It is not necessary for this hacking customer to have any specialized knowledge of the technology. DDoS attacks can be carried out by cybergangs, the business competitor across the street or a disgruntled employee. With hackers for hire, there are potential attackers everywhere.
We will conclude our discussion on the serious nature of DDoS attacks during part two of this article being published next week.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.