DDoS vs. Natural and Man-Made Disasters

Stephen Gates
By | April 28, 2015

Posted in: ISP DDoS Protection

When researching the topic, Do cyber-attacks, especially DDoS attacks result in more outages than natural or man-made disasters, I stumbled upon a 2013 annual report from The European Union Agency for Network and Information Security (ENISA).  According to their website, “ENISA is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks.”

The annual report is quite comprehensive from a network service provider perspective and all members of the EU require service providers to report to a national authority when critical network outages caused by a host of events occur, for example, natural phenomenon, human errors, malicious attacks, system failures, and finally third party failures. In the report it mentions, “Power cuts are the detailed cause that had most impact in terms of user hours lost, followed by heavy snowfall and cable cut. Also in 2012 Power cuts had high impact. Cyber-attacks did not have any significant impact on electronic communications during 2013.”

Hard to Believe

I find the mention of cyber-attacks not having any significant impact in 2013 a little hard to believe.  Industry provided DDoS statistics prove that this cyber-attack vector has been growing exponentially year-after-year since early 2011, yet barely make a blip on the radar according to the report.  This tells me that either the statistics are skewed or cyber-attacks including DDoS are likely not being detected as an outage to a service provider’s network.  Remember most DDoS attacks don’t take network service providers offline.  DDoS attacks take their customers offline.

When digging deeper into the report there is section on User Hours Lost per Root Cause Category.  In this section the report states the following, “Last year we started to look at the impact in terms of user hours lost. Taking into account both the number of user connections affected and the duration of the incident yields a measure for the total impact of an incident. We call it ‘user hours lost’. Natural phenomena had most impact in terms of user hours lost. This suggests that this is the category of outages which affects most users most of the time. At the same time, it is important to remember that these numbers are only representative of large scale incidents, because small incidents remain below the thresholds.”  Here is a graph of user hours lost per root cause from the report.

User hours lost per root cause category

DDoS protection solutions

The Ahha Moment

There it was in big bold letters, “because smaller incidents remain below the thresholds”.   One must surmise that this is the sole reason why cyber-attacks did not have any significant impact on electronic communications during 2013 according to the report.  The service providers within the report simply missed the fact that they were transporting DDoS and other cyber-attacks that simply were not detected as service impacting to their infrastructures.  Now it makes complete sense.

This is extremely common today with regards to DDoS attacks and service providers.  If the attacks did not impact the service providers’ networks in the EU then no report is made to ENISA.  However, we all know that DDoS attacks have been severely impacting some of the biggest companies, but as long as those attacks did not impact the service provider all is good. 

Visibility is the key to identifying DDoS attacks and service providers have been utilizing methodologies including NetFlow sampling for years in the effort of identifying DDoS attacks traversing their networks.  However all indications are showing that many service providers are simply missing the fact that they are transporting DDoS attacks that are taking their customers offline.

Corero Statistics Disputes These Findings

Corero’s Q4, 2014 Quarterly Report proves that organizations are under DDoS more often than most people are aware of. For example Corero’s customers on average report that they are experiencing up to four (4) DDoS attacks per day and up to 351 DDoS attacks per quarter.  96% of the DDoS attacks experienced last less than 30 minutes and 73% last less than 5 minutes in duration. Although these DDoS attacks never seem to impact the service provider who is delivering the attack; however, their customers are being impacted which in turn increases the user-hours is lost over a period of time.

Although not released as of yet, the ENISA report for 2014 likely will have an increase in user-hours lost due to malicious actions, particularly with regards to DDoS attacks.

You May Also Be Interested In: