During my travels across the globe I meet lots of people, and it always amazes me when individuals continue to believe that they are not susceptible to a DDoS attack. I frequently hear, “Why would anyone attack us, why should we plan for an impending DDoS attack?”
Believe it or not statistics show that over 40% of online organizations are completely unprepared for a DDoS attack. I believe the lack of preparation is guided by a misunderstanding of what motivates attackers (as well as lack of understanding with regards to how the Internet actually works). In my ten years of helping prevent the ill effects of DDoS attacks I’ve seen nearly every motivation. Here are just a few.
One of the first “Denial of Service” attacks ever seen on the Internet was on May, 5th, 2000. It was the day of the I Love You Virus which began in the Philippines and quickly spread all over the world in less than 24 hours. Although viral in nature, the malware had the tremendous effect of taking significant portions of the Internet offline. Over 45 million systems were said to have become infected and those that were not infected began creating a denial of service on their own when they removed their email servers from the Internet - to thwart the spread of infection. What was the motivation of the attacker? Most likely it was simple notoriety.
What are some of the other motivations I’ve seen?
- In the 2002-2003 timeframe we began to see competitive advantage being used as a motivation for DDoS. Organizations would begin to attack their competitors’ websites in the hope of getting more traffic to their own websites which in turn increased sales, gambling transactions, and add-revenues.
- In the 2004-2005 timeframe attackers began using extortion as a new motivation for DDoS attacks. Attackers would warn of a pending attack then ask for a transfer of funds to some account located in another part of the world. If you didn’t pay up then attackers would simply take your organization’s websites offline.
- In the 2007-2008 timeframe we began to see countries launching DDoS attacks against other countries as an act of war or aggression. For example, Russia was accused of launching DDoS attacks against Georgian websites during the Russo-Georgian war in 2008. This was the first time we began to see DDoS being used as a cyber-weapon.
- In the 2010-2011 timeframe we began seeing DDoS attacks being used by hacktivists as a method of advancing personal, political, or social agendas forward or in reprisal for something they deemed as inappropriate or unfair.
- Then finally in the 2012-2013 timeframe we began seeing independent cyber armies launch crippling DDoS attacks against the entire U.S. financial system in retaliation for a video that offended about one-quarter of the world’s population.
There’s no shortage of motivation for attackers.
There’s also another concept to take into consideration, although not a motivation per se, it’s one that Corero sees all the time. We call it the “fat-finger” or “innocent-bystander” DDoS attack. Normally these assaults are bursts of massive amounts of attack traffic that last for short periods of time - but are extremely volatile. However they seem to be directed at the wrong victim. Is it possible to become the victim of someone else’s attack? The answer to that is a simple yes.
Say for instance an attacker who was communicating with their botnet in preparation for an attack entered your IP addresses instead of the intended victims. Could you be affected? Of course you would. All an attacker has to do is transpose a single digit in one of the IPv4 octets and your network could easily be taken offline - even if you were not the intended victim. Say, for instance an attacker that had access to a sizable botnet used your set of IP addresses and launched a short-term, yet sizable SYN-Flood against another victim. Would that affect you? Yes it could. Your network could potentially be flooded with significant amounts of SYN-ACK packets coming from the victim’s server or proxy responses. Could that take you offline? Yes it could. Incoming SYN-ACK packets force your firewalls to perform state-table lookups. Too many lookups could potentially equate to latency, reboots, and outages.
It’s simple. Anything with an IP address can be used to launch an attack and anything with an IP address can fall victim to an attack. It’s simply a matter of time!