DDoS, distributed denial of service attacks, are growing in size, frequency and complexity at a breath-taking rate. So it’s no surprise that this trend has created a growing market for vendors of software products and services that detect and mitigate these kinds of attacks. Industry analysts at IDC expect the global DDoS solutions market to soar to $944.4 million by 2018, well beyond expected global revenues of $657.9 million in 2015.
Tech vendors are jockeying fiercely for their share of the market. Security enterprises without DDoS tools, or a complete set, have moved quickly to acquire them. For example, last year F5 Networks acquired Defense.net. Other types of tech enterprises are moving into the DDoS market as well. Akamai, the leading content delivery network, bought Prolexic Technologies.
Every enterprise with Internet connectivity is fair game, and likely has come under fire more than once. Last year, 38 percent of 300 corporations surveyed by Arbor Networks reported they had experienced more than 21 DDoS attacks monthly in 2014. Security experts at Incapsula, the DDoS product line owned by Imperva, predict that going forward, Internet-connected enterprises will experience DDoS attacks more than once a year. “It’s not a question of if, but rather when you will be attacked,” says Tim Matthews, Incapsula’s vice president of marketing.
DDoS attacks are very simple to launch. A fraudster silently and invisibly invades PCs, tablets, web browsers, databases, servers, mobile phones – any operating system connected to the Internet – to turn devices unwittingly into remotely-controlled armies of botnets, short for robots. The assailant, called a bot herder, commands his botnets to send outrageous volumes of traffic (thus called volumetric attacks) to their targets to saturate available bandwidth until the resources are exhausted.
“The increase in available Internet bandwidth, widespread access to cyber-attack software tools and ‘dark web’ services for hire, has led to a rapid evolution of increasingly sophisticated DDoS techniques used by cyber criminals to disrupt and exploit businesses around the world,” says Jerry Stalick, F5 Networks’ vice-president of global services.
Over the past few years, DDoS tools have become more sophisticated and easier to handle. In addition, cyber crooks can rent botnets on the Internet for as little as a few dollars for an hour or few days. Contractors to manage attacks are also available. One advantage of employing these services is that the actual perpetrator leaves no fingerprints on the deed.
Industry analysts recommend enterprises take a hybrid approach to mitigation; one that incorporates on-premises equipment and cloud services that can work together to protect traffic downstream as well as upstream. On-prem devices are calibrated to recognize application layer DDoS attacks, which usually flow through bandwidth in low volumes of slow traffic. These application layer campaigns repeatedly ping applications, such as websites, web apps, servers and plug-ins. As a result, applications either perform sluggishly or shutdown altogether.
When on-prem boxes run out of bandwidth to mitigate traffic under attack, they can shift the oversight to a cloud service, capable of managing much larger volumes of traffic. Both on-prem and cloud services monitor for spikes in traffic and packet anomalies that flag possible DDoS mischief. When questionable packets are spotted, they are “scrubbed”. This means they are pulled out of the stream of traffic and inspected more closely. Bad packets are dropped so they can’t reach their destination.
Solution providers report that many perpetrators of DDoS assaults are changing their campaign tactics, orchestrating more sophisticated volumetric attacks in short bursts and with greater frequency. DDoS security experts believe many of these campaigns are reconnaissance. The DDoS botnets are on a mission to find enterprises with weak defenses and therefore vulnerable to more invasive attacks.
DDoS campaigns also serve as a distraction. Cyber criminals launch front-end attacks to distract a company’s limited security personnel while the miscreants manage the injection of malware into the back end of a network. The malware’s job is to seek out and steal sensitive information such as customer profiles, financial data and intellectual property. Later the bandits may try to sell the pilfered assets on the black market or extract ransom from the rightful owners.
“They (the attackers) are employing a shorter attack strategy to improve efficiency as well as distract the attention of IT personnel away from the actual intent of an attack, which is to deploy malware and steal data,” says Rishi Agarwal, director of product marketing at NSFocus. “Today’s attacker continues to become smarter and more sophisticated.”
The introduction of distributed attacks presented a new challenge because the infected hosts are located, literally, worldwide. Historically, botnets were launched initially at gamers, the game industry, and e-commerce sites over a decade ago. There was a lull in DDoS activity for a few years, and then attack activity made a robust comeback in 2012, and has soared ever since. The game industry was a prominent victim in the early days. This sector continues to be a favorite target. At the same time, DDoS activists have widened their target range over the past few years to the financial, entertainment, government and technology sectors.
The consequences of DDoS assaults can be disastrous for enterprises that rely on websites to conduct business, such as eCommerce and other application-based businesses. Unresponsive websites and servers drive online customers to websites of competitors and tarnish corporate reputations.
The fact that a lot of software smarts aren’t necessary to pull off a DDoS attack is illustrated by the rise of attacks on public schools at all grade levels. Students are testing their mettle by launching DDoS attacks against their public school districts. Last month a 17 year old student in Idaho paid a hacker to carry out attacks against the West Ada School District. Teachers and students lost their online work, and some students were forced to retake their state achievement tests several times.
“For the kids it’s a game, but for the schools and for companies, it’s expensive,” says Terrance Gareau, chief scientist at Nexusguard, a solution provider that has worked with schools affected by DDoS campaigns.
This tidal wave of DDoS attacks is prompting vendors to look at the possibility of sharing information about ongoing attacks and their operators. Of course, the challenge, says F5’s Stalick, is “how far can you open the kimono without jeopardizing your competitive advantage?”