When researching the topic, Do cyber-attacks, especially DDoS attacks result in more outages than natural or man-made disasters, I stumbled upon a 2013 annual report from The European Union Agency for Network and Information Security (ENISA). According to their website, “ENISA is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks.”
Hard to Believe
I find the mention of cyber-attacks not having any significant impact in 2013 a little hard to believe. Industry provided DDoS statistics prove that this cyber-attack vector has been growing exponentially year-after-year since early 2011, yet barely make a blip on the radar according to the report. This tells me that either the statistics are skewed or cyber-attacks including DDoS are likely not being detected as an outage to a service provider’s network. Remember most DDoS attacks don’t take network service providers offline. DDoS attacks take their customers offline.
User hours lost per root cause category
The Ahha Moment
There it was in big bold letters, “because smaller incidents remain below the thresholds”. One must surmise that this is the sole reason why cyber-attacks did not have any significant impact on electronic communications during 2013 according to the report. The service providers within the report simply missed the fact that they were transporting DDoS and other cyber-attacks that simply were not detected as service impacting to their infrastructures. Now it makes complete sense.
This is extremely common today with regards to DDoS attacks and service providers. If the attacks did not impact the service providers’ networks in the EU then no report is made to ENISA. However, we all know that DDoS attacks have been severely impacting some of the biggest companies, but as long as those attacks did not impact the service provider all is good.
Visibility is the key to identifying DDoS attacks and service providers have been utilizing methodologies including NetFlow sampling for years in the effort of identifying DDoS attacks traversing their networks. However all indications are showing that many service providers are simply missing the fact that they are transporting DDoS attacks that are taking their customers offline.
Corero Statistics Disputes These Findings
Corero’s Q4, 2014 Quarterly Report proves that organizations are under DDoS more often than most people are aware of. For example Corero’s customers on average report that they are experiencing up to four (4) DDoS attacks per day and up to 351 DDoS attacks per quarter. 96% of the DDoS attacks experienced last less than 30 minutes and 73% last less than 5 minutes in duration. Although these DDoS attacks never seem to impact the service provider who is delivering the attack; however, their customers are being impacted which in turn increases the user-hours is lost over a period of time.
Although not released as of yet, the ENISA report for 2014 likely will have an increase in user-hours lost due to malicious actions, particularly with regards to DDoS attacks.