If it looks like a duck, quacks like a duck and walks like a duck…

Several high profile organizations experienced ‘unexplained’ service outages yesterday, begging the question “is there any connection across these discrete outages”. All trading on the New York Stock Exchange was halted for nearly four hours for undisclosed internal technical reasons, while a so-called technical glitch halted United Airlines flights around the country for about two hours. The Wall Street Journal’s web site was also rendered unavailable just after the NYSE halted trading. Since the triple takedown occurred, headlines have been splashed with theories, comments from official and unofficial spokespeople, statements from the FBI, the White House and other government agencies—all with conflicting opinions on each scenario, as well as the collective incidents.

There are a few points that immediately jump off the page as I weed through the media and press coverage on the events. The terminology that is thrown around when articulating the details around (potential) cyberattacks undoubtedly leaves many readers scratching their heads. Statements like “computer outages”, “occasional outages due to technical glitches”, “issue with a gateway connection”, “internal technical issue and is not the result of a cyber breach” are misleading descriptors for what may very well be DDoS related activity. The issues experienced in these individual events all point to tell-tale symptoms of DDoS activity. The overwhelming of system infrastructure, system failovers, unexplained application latency, intermittent service availability and pure service outages reek of a DDoS attack.

Corero knows these scenarios all too well, as our customers were once victims to the sometimes ‘silent’ DDoS attack activity that appears to look like every day user behavior that passes by traditional security solutions unnoticed, and effectively takes systems offline. DDoS is not always going to look like a massive volumetric attack that you can see from a mile away. Many times, service disruption can be the result of sub-saturating DDoS attacks, techniques that consume just enough bandwidth to overwhelm security solutions, knocking services offline. What about upstream service providers? Wireline Carriers pass DDoS attack traffic to their downstream peering points, and secondary providers act as conduits for transcending DDoS attacks to end user environments. In many cases, once an attack has been identified, providers simply black hole the IP addresses in the particular subnet—causing the target victim to go off-line, and everyone else in that IP range as well causing collateral damage for innocent bystanders.

We will continue to watch the story(s) unfold, and listen to security experts speculate as to whether or not the Internet can cause an apocalypse of sorts, impacting the NYSE and ultimately the economy, air travel, and an online International newspaper.

But, if it looks like a duck, quacks like a duck and walks like a duck…It’s most likely DDoS.