Corero Network Security Reports on Top 5 DDoS Attacks of 2011

Corero Seeing an Increase in Newer, Intelligent, Application Layer DDoS Attacks

Hudson, MA, October 07, 2011 – Corero Network Security(CNS: LN), the leader in on-premises Distributed Denial of Service (DDoS) Defense Systems for enterprises, data centers and hosting providers, named its list of 2011's Top 5 DDoS attacks. Corero's findings show an increase in newer, intelligent application-layer DDoS attacks that are extremely difficult to identify "in the cloud," and often go undetected until it is too late. Corero also found an uptick in attacks against corporations by "hactivists" DDoS-ing sites for political and ideological motives, rather than financial gain. Attacks against Mastercard, Visa, Sony, PayPal and the CIA top Corero's list.

"The cat-and-mouse game between IT administrators, criminals and hactivists has intensified in 2011 as the number of application-layer DDoS attacks has exploded. Coupled with an increase in political and ideological hactivism, companies have to be extremely diligent in identifying and combating attempts to disable their websites, steal proprietary information and to deface their web applications," said Mike Paquette, chief strategy officer, Corero Network Security.

Corero's 2011 Top 5 DDoS list includes the following high-profile attacks:

  1. Anonymous DDoS Attacks on WikiLeaks "Censors" Visa, MasterCard and PayPal 
    The most significant DDoS attack so far this year, the WikiLeaks-related DDoS attacks on Visa, MasterCard and PayPal were both Anonymous' "coming out" party, and the first widespread example of what has been dubbed "cyber rioting" on the Internet, with virtual passersby joining in the attack voluntarily.
  2. Sony PlayStation Network DDoS
    A shocking wake-up call for many gamers, customers and investors, the Sony Playstation Network DDoS attack began a series of cyber attacks and data breaches that damaged Sony financially and hurt its reputation.
  3. CIA and SOCA Hit by LulzSec DDoS Attacks
    The appearance of LulzSec on the cyber attack scene, highlighted by bold DDoS attacks on the CIA and the U.K. Serious Organised Crime Agency (SOCA), made us wonder if anyone was safe on the Internet.
  4. WordPress DDoS
    A massive DDoS attack disrupted one of the world's largest blog hosts – some 18 million websites. The huge attack hit the company's data centers with tens of millions of packets per second.
  5. Hong Kong Stock Exchange
    This DDoS attack had a major impact on the financial world, disrupting stock market trading in Hong Kong. This was a highly leveraged DDoS attack, potentially affecting hundreds of companies and individuals through a single target.

For all the pain and suffering DDoS attacks have caused, there are a number of best practices that companies can implement to reduce their risk. The most effective defense against DDoS attacks requires expert preparation of defensive resources, ongoing vigilance and a rapid, organized response.

Corero's Top 5 recommendations for mitigating the effects of DDoS attacks:

  1. Create a DDoS Response Plan
    As with all incident response plans, advance preparation is key to rapid and effective action, avoiding an "all-hands-on-deck" scramble in the face of a DDoS attack. A DDoS response plan lists and describes the steps organizations should take if its IT infrastructure is subjected to a DDoS attack.
    Increasingly, Corero is seeing that DDoS attacks against high-profile targets are intelligent, determined and persistent. This new breed of highly capable attackers will switch to different attack sources and alternative attack methods as each new attempt is countered or fails. It is therefore essential the DDoS response plan defines when and how additional mitigation resources are engaged and surveillance tightened.
  2. On-Premises DDoS Defenses are Imperative
    Clean pipe Internet connections provided by ISPs offer a false sense of security. On-premises DDoS defense solutions installed immediately in front of application and database servers are required to provide a granular response to flooding type attacks, as well as to detect and deflect the increasingly frequent application-layer DDoS attacks. For optimal defense, on-premises DDoS protection solutions should be deployed in concert with automated monitoring services to rapidly identify and react to evasive, sustained attacks.
  3. Protect Your DNS Servers
    The Internet Domain Name System (DNS) is a distributed naming system that enables us to access the Internet by using recognizable and easy to remember names such as rather than numeric IP addresses (e.g. on which network infrastructure relies to route messages from one computer to another. Since DNS is distributed, many organizations use and maintain their own DNS servers to make their systems visible on the Internet.
    These servers are often targeted by DDoS attacks; if the attacker can disrupt DNS operations, all of the victims' services may disappear from the Internet, causing the desired Denial of Service effect.
  4. Know Your Real Customers
    A brute-force or flooding type of DDoS attack is relatively easy to identify, though it requires high performance and sophisticated real-time analysis to recognize and block attack traffic while simultaneously allowing legitimate traffic to pass.
    Detection of the more insidious application layer attacks requires a thorough understanding of the typical behaviors and actions of bona fide customers or employees accessing the applications being protected. In much the same way that credit card fraud detection may be automated, on-premises DDoS defense systems establish legitimate usage profiles in order to identify suspicious traffic and respond accordingly.
  5. Maintain Continuous Vigilance
    DDoS attacks are becoming increasingly smart and stealth in their methods. Waiting for an application to become unresponsive before taking action is already too late.
    For optimal defense, a DDoS early warning system should be part of a company's solution. Continuous and automated monitoring is required in order to recognize an attack, sound the alarm and initiate the response plan.