DDoS Attackers Switch Gears: Hit The Router, Not The Web Server

Distributed denial-of-service attacks on commercial Web sites have taken a nasty turn since last year: They're now throwing four times as many packets, and the type of packets are more likely to bring targeted sites to their knees. That's according to security vendor Prolexic Technologies, which on Thursday (Nov. 17) is slated to release a report that says since Q3 2010, attackers have shifted from attacks that aim at Web servers to those that target routers—a change that could require retailers to put up much stronger defenses against brute-force attacks.

It's hard enough defending against a botnet firing an endless stream of "show me your homepage" requests at an E-Commerce site. Retailers have already seen those attacks amped up to 50 times their previous level during a few days after Black Friday last year. But the new style of attack (so far aimed mainly at online gambling sites) is likely to require a lot more hardware to pick off nasty packets—and it's hardware that's only necessary until the attack ends, at which point it's very expensive bric-a-brac.

According to the Prolexic report, the new attacks have shifted from the network's application layer (for example, using packets containing the HTTP GET command) to the transport and Internet layers (using lower-level network traffic signals). In network jargon, that means the new-style attacks are mostly SYN floods, ICMP floods and UCP floods—all arriving at a rate of millions of packets per second, and all of which have to be dealt with one packet at a time.

"The bad news is, you can't just ACL that off," said Neal Quinn, VP of operations at Prolexic. "You have to let traffic through, and you need a DDoS mitigation appliance to authenticate the SYN requests. That's north of $150,000." Unfortunately, those appliances still aren't designed to handle the level of attack bandwidth that this year's attacks are using. "You really need a provider who has a huge deployment of those appliances to spread the load out globally," Quinn said.

Not surprisingly, that's the business Prolexic is in. But hiring out the attack-mitigation work to some provider makes painful financial sense. According to the report, a typical attack lasts about a day and a half. A million dollars' worth of in-house hardware that might actually be used at most a few days out of each year? Sure, that'll go over big with your CFO.

And unfortunately, it's the attackers who get to pick the game.And unfortunately, it's the attackers who get to pick the game, which always involves networks of malware-infected PCs, more than 70 percent of which are located in China, India or Turkey. (Filling out the big-botnet list: Pakistan, Venezuela, Indonesia, Mexico, Egypt and Korea. Large numbers of attacks also come from the U.S., Vietnam, Thailand and Brazil.)

Nor is it especially difficult for anyone who wants to send a DDoS flood in the direction of a retailer, whether for commercial, political or other reasons. Want to launch an attack? Hire a botnet, and keep hiring more attack capacity until you can see that your target can't handle the load any longer.

Last year, that worked fine with relatively simple floods of HTTP commands, which is what most attacks used. Then retailers and other sites improved their ability to swat away those attacks. The result: This year, more than 80 percent of the attacks are using those lower-layer packets, which have to be handled by routers and actually require fewer packets to get the same unpleasant result (and are aimed at where the current defenses aren't).

Yes, it is an arms race—one in which you're almost never sure when an attack will come, or from where. (Last year's WikiLeaks attacks at least had the virtue that Visa, MasterCard and Amazon knew who the attacks were coming from. Some were even announced in advance.)

But in practice, most attacks are hard to predict for timing, relatively cheap to launch and expensive to defend against. Because defense requires lots of networking hardware, there's really no way to finesse the problem of an attack. When it comes, you either need to buy or rent a major defensive perimeter or you'll go down. The rest of that time, you've got an expensive Maginot Line that almost no one is trying to get past.

And like the real Maginot Line, you can be pretty sure that eventually the bad guys will go around it, not through it.

Still, there's one advantage to the financial misery involved in dealing with DDoS attacks. Most effective IT security spending is almost impossible to cost justify. If it's implemented correctly and it really does what it should, your only evidence it was worth the expense is all the attacks that don't come. That's a tough sell at budget time.

At least when you're hit with a DDoS attack, you'll know. Boy, will you know.