Dos Attacks Are Bigger and Badder Than Ever

March 2011

DoS Attacks Are Bigger and Badder Than Ever

by Ted Julian, Principal Analyst, [email protected]

The Bottom Line More people are launching bigger and more sophisticated denial-of-service (DoS) attacks at more targets than ever before. Virtually any organization is a potential target and, unlike other security challenges, firms can’t address DoS attacks without provider assistance. Now that demand is peaking and technology has matured, operators should take advantage of this unique opportunity to drive revenue.

DoS Attacks Are Back by hacktivists in the future is a contributing factor (see the December 2010 Yankee Group Report “WikiLeaks Effect Creates Denial-of-service (DoS) attacks are back in the spotlight. Certainly, New Security Winners, Losers”). But the fact is DoS attacks have the December 2010 attacks against the WikiLeaks Web site and evolved quite a bit over the last 10 years. DoS activity is no longer then the counter-attacks by WikiLeaks sympathizers against primarily the bailiwick of teenagers launching crude flood-based targets including MasterCard, PayPal, Visa and others are partly attacks. It has evolved to include a diverse range of motivations and responsible. And WikiLeaks’ role as a catalyst for more attacks techniques (see Exhibit 1).

Exhibit 1: DoS Attack Complexity, Volume and Motivation Increase Over Time Source: Yankee Group, 2011 June 2009 Iranian election protests trigger DoS attacks against Iran’s government

July 2009 Series of DoS attacks target U.S. government sites including the White House, Department of Transportation, Federal Trade Commission and Department of the Treasury October 2002 DoS flood disrupts service August 2009 at nine of the 13 DNS Social networking sites, including Twitter and Facebook, experience root servers outages as collateral damage of DoS attacks against a Russian blogger

1980 1990 2000 2010

November 1988 July 2001 December 2010 Arguably the first Code Red worm DoS attacks worm and first DoS attacks a list of target WikiLeaks “attack,” the Robert IP addresses, and WikiLeaks Morris Worm including the Web sympathizers target unintentionally site for the U.S. MasterCard, PayPal, wreaks havoc White House Visa and others on the nascent Internet February 2000 April-May 2007 DoS attacks shut Series of DoS down Yahoo, eBay attacks against and Amazon Estonian targets suggest political motivation

Methodology • Activism. The WikiLeaks attacks are the latest example of DoS attacks being used to promote activist agendas. Why risk For this report, Yankee Group conducted more than 20 interviews a dangerous protest if you can garner publicity for your cause with network operators like AT&T and Verizon, specialized service from the comfort of your couch? The combination of point-and- providers like Akamai and VeriSign, and equipment vendors like click attack tools and social media as an organizing mechanism is Arbor Networks and Radware. These interviews provided a basis making activist attacks easier than ever. for the qualitative and quantitative analysis in this report while also informing our review of past, present and future trends in As a result, while DoS attacks used to be primarily targeted DoS attacks. In the course of conducting this research, it became at household names and other obvious targets, nowadays any clear that not only were DoS attacks growing substantially (the organization with money to lose, political interests or activist WikiLeaks attacks occurred just as our research process began), enemies—effectively anyone—is a potential target and should but as a result, so was interest in solutions. Indeed, service consider protection. providers of all types are in the process of either creating new solutions or refining the ones they already have. And they are More Volume actively evaluating buy vs. build vs. partner options to achieve these objectives. The brief vendor profiles included in this report are Ask any security engineer at a service provider about attack intended to help inform those activities and give enterprises a head volume and they will wax nostalgic over the size of yesterday’s start in their evaluations. attacks, saying things like, “It was a 100 meg attack and we were freaking out. We thought that was huge!” That’s because attack DoS Attacks Are Badder Than Ever volume continues to grow. In fact, multiple providers reported attacks in 2010 that crossed the 100 Gbps barrier. According DoS attack frequency and volume has increased substantially to Arbor Networks, 2010 DoS attack size more than doubled over the last two years. According to Arbor Networks’ 2010 compared to 2009 (see Exhibit 2). Infrastructure Security Report, 69 percent of network operators surveyed reported at least one attack per month, while 35 percent Exhibit 2: DoS Attack Size Doubles to 100 Gbps reported 10 or more per month, up from 18 percent in 2009. More Source: Arbor Networks’ 2010 Infrastructure Security Report frequent attacks are the result, at least in part, of a growing array DoS Attack Size Over Time Bandwidth in Gbps of attackers with a wide range of motivations, including: 100 100 • Organized crime. Using DoS attacks for extortion is not 90 80 new. Historically, such attacks were primarily targeted at online 70 60 gambling sites, but more recently retailers have become targets 49 50 40 as well. In either case, the attacker launches a sample attack 40 prior to a major sporting event or holiday, and then demands 30 24 20 17 protection money to ensure it doesn’t happen again. Providers 10 10 0.4 1.2 2.5 also report evidence of competitive attacks (e.g., one retailer 0 arranging to have a competitor attacked during the holiday 2002 2003 2004 2005 2006 2007 2008 2009 2010 shopping season or around a major product launch).

• Politics. Attacks like those in 2009 during the Iranian election and around July 4 against a range of U.S. government targets contribute to a growing body of evidence that governments are sponsoring attacks for political motivations. Cybersecurity pundits fear not only increasingly large and sophisticated DoS attacks, but also multifaceted attacks of which DoS is just a component or a diversionary tactic to cloak something more sinister.

Attack volumes of this magnitude wreak havoc not only at Exhibit 3: Dynamic Attacks Require Dynamic Protection the customer edge, but also occasionally in the provider core. Source: Akamai, 2010 This has two important implications. First, enterprises can’t effectively protect themselves. Their provider links can easily become saturated, rendering the organization unreachable and any edge protection ineffective. As a result, protection for all but the largest, most sophisticated organizations must come via a service from an upstream provider—like a Tier 1 carrier or DoS protection specialist—with the network resources to support effective protection. Second, providers must protect themselves or risk congestion that impacts multiple customers. Most providers have done this over the last 10 years and are also now proficient at cooperating with other providers to address the largest, most widely distributed attacks.

More Sophistication

Though basic DoS floods remain an issue, attackers today are a lot more sophisticated, requiring providers to become increasingly resourceful in their countermeasures. Not only are there more DoS attack types in the modern arsenal, attackers have learned to adapt their tactics, morphing attacks to outwit countermeasures as soon as they’re in place. Today’s DoS attack kit includes:

• Basic volumetric attacks. From the equivalent of clicking reload really fast on a bunch of browsers to Internet Control Message Protocol (ICMP) floods, attackers have tried different protocols and leveraged botnets (legions of compromised Times Above Normal Pages Peak Attack Time computers) to generate enormous amounts of highly distributed US Customer #1 9,095x 11/30 traffic. By overwhelming the target with these bogus requests, US Customer #2 5,803x 12/1 volumetric attacks make it impossible for legitimate requests to US Customer #3 3,115x 11/30 receive a response. US Customer #4 2,874x 12/1 • Dynamic attacks. In the old days, attacks would be a simple US Customer #5 1,807x 12/1 flood, maybe of a new protocol, but once the provider identified the attack and characterized it, it could implement protection and get on with its life. Not anymore. Providers report that dynamic attacks—those that change their attack mechanisms, rotate different botnets in and out of use, and vary their targets—are becoming more common. See Exhibit 3 for a dramatic illustration of a series of concerted, targeted, dynamic attacks. Notice the series of peaks during the attack as attackers changed tactics and the provider responded.

• Asymmetric attacks. These attacks make small bandwidth • Cloud-based attacks. Although attacks through cloud requests that result in large processing requirements for the target. providers have yet to become commonplace, security pros are For example, requests for images, movies or other downloads worried about the potential for DoS attacks from compromised are quite small, but they create a lot of work for the target server. cloud services. After all, the ability to rapidly scale up traffic is a Attacks that generate a bunch of these small requests can result in key strength of cloud platforms. Compromised cloud provider denied service, but in such a way that they don’t trigger detection accounts would make a great botnet. mechanisms looking for huge variances in incoming traffic volume. • Attack tools. Not only have attackers come up with a • Infrastructure attacks. While many early attacks targeted bunch of attack types, they’ve created point-and-click attack Web sites, many other infrastructure components can be directly generators to make it easy. Exhibit 4 shows a screen from the overwhelmed to yield the same loss of service. Modern attackers open-source Low Orbit Ion Cannon (LOIC) tool. Notice how target domain name system (DNS) servers, firewalls, load balancers easy it is to set a target, attack type and various other options. and other infrastructure components to evade detection and These tools combined with botnets for hire mean very little complicate mitigation. DNS attacks are multi-faceted because skill or infrastructure is required to construct a highly effective, attackers not only target DNS in an attempt to cause massive powerful and distributed DoS attack. outages (by taking down the root DNS servers used by the entire Internet), but they also amplify attacks (by tricking DNS servers DoS Protection Is an Ideal Revenue- into overwhelming targets with responses to forged requests). Generator for Providers

• Application attacks. Attackers are also moving up the stack When it comes to keeping out spam, infiltrators or malware, and targeting applications directly to deny service in a way that enterprises don’t need to work with providers to protect evades current protection mechanisms. For example, a Slowloris themselves from most security threats. DoS attacks are different. DoS attack achieves stealth by sending partial connection Edge resources near the target can be overwhelmed fairly easily, requests to the target in an effort to fill the maximum connection rendering protection there irrelevant. As such, DoS protection is pool and thus deny service, while using minimal bandwidth and one of the very few security requirements organizations can only having little direct impact on unrelated services and ports. address via a managed service from a provider.

Exhibit 4: DoS Attacks: There’s an App for That Source: Low Orbit Ion Cannon, 2011

Service providers need to protect themselves anyway, since large soak up attack volume. Large network operators like AT&T, DoS attacks have congested their core network links and disrupted Tata Communications and Verizon are proficient at sharing service to multiple customers. Similarly, DNS providers are regularly descriptions of traffic anomalies, or fingerprints, to trace attacks under assault as attackers try to disrupt DNS service or trick DNS closer to their source, where mitigation is more effective and into overwhelming other targets. To protect themselves, most cost-efficient. After all, attacks originating from Asia can be providers have already instrumented their core networks with DoS difficult to tease out and filter from the mass of traffic at a protection. By extending DoS protection to the customer edge, North American peering point on Verizon’s network. With providers can leverage this investment to drive new service revenue. fingerprint characterizations, providers can easily continue trace back of these attacks to the source IP addresses in Asia and Tier 1 network operators like AT&T, Tata Communications and implement precise filters. Verizon have already made these investments and have been offering DoS protection to their customers for years. So have • Robust mitigation. Attackers will continue to devise widely infrastructure service providers like Akamai and VeriSign. All distributed, stealthy attacks that attempt to blend in with legitimate report that demand increased substantially in the second half of traffic. So while providers can, should and will come up with ever 2010. And DoS protection services are sticky—renewal rates over more creative ways to block, filter and rate-limit attacks, over- 95 percent are not uncommon. provisioning will sadly always be required. And smart customers will do the math and rate providers on their ability to withstand Beyond core network protection, what do operators need to brute force attacks. Competing with attackers on bandwidth alone, offer in order to compete? Modern DoS protection offerings have however, is a lousy arms race, since bandwidth costs providers evolved to include: money but is “free” for attackers. As such, service providers • Sophisticated detection. Rapid and automated detection of continue to innovate with mitigation techniques. For example, volumetric attacks is table stakes for DoS protection services. All nearly all providers have regional mitigation centers where attack providers must be able to quickly and automatically identify threats traffic is re-routed for scrubbing. A handful of providers, like like the huge increases in ICMP traffic that characterize routine Akamai and VeriSign, are experimenting with mechanisms like DoS attacks. To deal with the latest threats and differentiate CAPTCHA redirection (where users must answer a question for offerings, providers are getting more granular with their detection their request to be processed) in order to differentiate attack capabilities and moving up the stack to analyze traffic for traffic from legitimate requests. application-level threats. Akamai, for example, even has a dedicated Web Application Firewall offering to address not only threats to Vendors and Providers Rise to the Challenge availability at the application layer, but also data security risks. Fortunately for the poor victims of these attacks (and those • Automated, cooperative trace back. The ability to who know they could be next), there are a range of protection characterize and trace attacks to the point of network ingress solutions available. And from our industry discussions, it’s clear is necessary not only to minimize congestion in the network more offerings will hit the market from a surprising range of core, but also to reduce reliance on over-provisioning and providers over the next 18 months. Profiles of today’s most scrubbing (sorting out legitimate traffic from attack traffic) to notable providers follow.

Akamai AT&T

Web site: www.akamai.com Web site: www.business.att.com

Pricing/Licensing: Monthly fee on top of delivery cost; exposure Pricing/Licensing: Non-recurring setup charge of $5,000; limited to bursting in the event of an attack monthly recurring charge tiered by bandwidth

From a DoS protection perspective, Akamai is unique in several As the first major network operator to offer DoS protection, respects. First, its network currently includes more than 77,000 AT&T is an innovator and has amassed considerable expertise servers, in 16,000 locations, on 1,100 networks, in 70 countries. in this area. Along the way, AT&T invested in improving the This scale and diversity allows Akamai to simply soak up attacks by capabilities of its DDoS Defense offerings and streamlining its efficiently serving them close to the edge. This is not to say Akamai processes around everything from sign-up, to provisioning, to lacks more sophisticated attack response capabilities—far from it. protection, to support. Today, customers can go from initial For example, it is among the first providers to offer user validation conversation to protection in a few hours and benefit from broadly to distinguish valid users from attacking bots. But the Akamai cloud distributed detection capabilities and increasingly distributed provides an impressive cushion the likes of which other providers mitigation capabilities via a growing pool of regional scrubbing don’t have. Beyond the managed protection service, Akamai also centers on AT&T’s OC-768 backbone. DDoS Defense is part of a offers DoS attack-related professional services (for before, during and range of security services and builds on AT&T’s baseline Internet after an attack) and priority support. Finally, DoS protection services Protect solution that provides early warning of possible attacks, are just part of a broader menu of security and availability offerings, including mitigation recommendations when appropriate. which include: Site Shield (cloaks resources from the public Internet by serving requests through the Akamai Edge), Web Application Prolexic Firewall (to protect against application-level attacks) and Enhanced DNS (to protect against DNS-focused attacks and DNS poisoning). Web site: www.prolexic.com Pricing/Licensing: One-time provisioning fee, plus a flat monthly Arbor Networks fee based on clean bandwidth (attack traffic not included)

Web site: www.arbor.net A managed DoS protection service started in 2003, Prolexic has a hard-earned reputation as a leading-edge, in-the-trenches Pricing/Licensing: Peakflow SP (detection) starts at $139,000; provider that works closely with customers through thick and Threat Management System (mitigation) starts at $225,000 thin. From a legacy of cloud-based DoS attack mitigation for From its roots as a research project at the University of Michigan high-risk organizations such as Internet gambling sites, Prolexic in the late 1990s, Arbor Networks has grown into the dominant has expanded over time and now offers multiple levels of provider of DoS detection and mitigation solutions. Arbor integration—for example, through DNS re-route or via Border solutions are used by more than 70 percent of the world’s Gateway Protocol (BGP) announcement—and multiple types of providers to protect their own networks and as a basis for mitigation. Prolexic’s infrastructure mixes best-of-breed and home- managed services. Initially, this traction resulted from providers grown components spread across four data centers around the instrumenting their core networks with network flow data globe. Currently, this infrastructure includes off-the-shelf platforms collection for DoS and other network anomaly detection. Over as well as Prolexic’s own components, and it enables multiple time, and with the acquisition of deep packet inspection (DPI) mitigation methods for different attack types. Prolexic also offers provider Ellacoya, Arbor broadened its security capabilities to a customer premises box that can perform application-layer include edge deployment and multiple forms of mitigation. The monitoring at the client site, ensuring rapid detection and response Arbor Threat Level Analysis System (ATLAS) and Arbor Security for Layer 7 attacks, including those at the encrypted layer. Prolexic Engineering and Response Team (ASERT) are preeminent sources protection is also informed by its IP reputation database, a catalog of DoS and other network anomaly research and statistics. of known bad actors that it shares with Computer Emergency Arbor’s combined capabilities make it a Top 3 security provider for Response Team (CERT) and other security organizations. network operators.

Tata Communications Verizon

Web site: www.tatacommunications.com Web site: www.verizonbusiness.com/

Pricing/Licensing: Not disclosed Pricing/Licensing: Flat monthly fee starting at $3,500 per month for mitigation and $1,500 per month for detection By leveraging its substantial global network assets, broad geographic presence, ties to the broader Tata Group and low-cost Verizon’s DoS capabilities, which date back to its UUNET operating model, Tata Communications has put together a unique acquisition, began with regionalized DoS mitigation in 2004. Over DoS protection offering. DoS attack detection capabilities are time, Verizon extended its offering to include detection capabilities built into the Tata Communications network core, network-wide. and global availability backed by a 100 percent uptime service- Mitigation is provided through four regional scrubbing centers level agreement (SLA). Upgrades that are currently under way (with more on the way). Both mitigation and scrubbing are based will expand Verizon’s mitigation capability to 60 GB in each of two on technology from Arbor Networks. Tata’s from-the-ground-up network backbones with another 40 GB of capacity in a third. DoS protection combined with its fast, diverse and global network Verizon’s mitigation capabilities are uniquely granular. While many make for a particularly strong offering, especially for organizations providers require customers to reroute a block of address space that value a strong presence beyond North America and Europe, (a/24) through their mitigation or scrubbing capability, Verizon can either for local protection or local mitigation (since many attacks do this down to a single IP address. As a result, customers needn’t come from Asia-Pacific). reroute all traffic on the same network segment as the attack target (for example, rerouting both e-mail and Web site traffic VeriSign when only the Web site is under attack). Verizon DoS protection also has no variable fee; even if customers face repeated, large Web site: www.verisign.com volume attacks, they pay the same monthly rate. Pricing/Licensing: $2,000 to more than $50,000 per month, based on number of locations, data centers and gigabytes of protection Conclusions and Recommendations

As a major provider of Internet infrastructure, including two of DoS attacks are in the headlines again. And DoS protection the Internet’s 13 root name servers, VeriSign brings a unique providers report record demand. But competition is intensifying, perspective and set of capabilities to DoS protection. VeriSign pricing models—in particular, variable fees—are coming under got involved in DoS protection years ago, particularly as attacks pressure, and technology shifts risk derailing today’s leading started to target DNS infrastructure. In this way, even more than providers. Here’s what we recommend providers do to cope: other major network infrastructure providers, VeriSign’s DoS • Leverage scale to allow for flat monthly fees. Variable protection started with major investments to bolster its own monthly fees really freak out DoS protection customers: It infrastructure security and availability to withstand significant and feels like vendors are adding insult (a sky-high monthly bill) to regular assault. VeriSign’s DoS protection service is built on the the injury of an attack. Now that the DoS protection market is resulting combination of best-of-breed solutions from partners and growing, leading providers like Akamai and AT&T should follow internally developed components spread across VeriSign’s global, Verizon’s lead and offer flat monthly pricing. diversely peered backbone. It includes monitoring, detection, alerting capabilities, regional mitigation centers and advanced • Prepare for even bigger attacks. Attacks cresting 100 GB capabilities such as support for HTTPS traffic and a user-validation mean DoS protection providers must be able to soak up an redirection mechanism to detect bots. VeriSign’s service also enormous amount of traffic. Providers must build to multiples leverages real-time security intelligence from its iDefense division. of top attack thresholds or risk endlessly explaining why their filtering jiu-jitsu means more capacity isn’t necessary.

• Streamline operations. Since DoS protection services have • Go mobile. Mobile networks are at risk of DoS attacks as well. been around for about 10 years, early providers like AT&T and More than half the mobile network operator respondents to Prolexic have streamlined operations substantially and can go Arbor’s 2010 Infrastructure Security Report reported outages from initial conversation to protection in a few hours. Any new due to security incidents; 50 percent admitted they had limited entrants must make sign-up, configuration, reporting, billing and visibility into their mobile network. As mobile broadband gets so on easy for customers or risk advertising their inexperience. faster and smartphones proliferate, they represent the same risk to mobile network availability as PC-based botnets do to fixed • Market to cloud providers. Amazon, IBM, Terremark (now networks. Leading wireless providers are beginning to extend part of Verizon), Savvis and other cloud providers need to their DoS protection deployments to their mobile networks; protect themselves and their customers from DoS attacks to other providers must follow suit. avoid embarrassment, brand damage and lawsuits. Not only are they and their customers targets for attack, their infrastructure • Watch out for IPv6 migration issues. While vendors are would make for a great botnet from which to launch attacks. scrambling to add IPv6 support to their network and security solutions, support remains inconsistent. Network operators must keep this in mind as they migrate or risk expensive and embarrassing outages.

The people of Yankee Group are the global connectivity experts—the leading source of insight and counsel trusted by builders, operators and drivers of connectivity solutions for 40 years. We are uniquely focused on the evolution of Anywhere, and chart the pace of technology change and its effect on networks, consumers and enterprises.

For more information, visit http://www.yankeegroup.com

Leverage qualitative research to make informed Research business decisions today and plan for the future.

Gain quantitative insight into current markets and new Data opportunities via monitors, surveys and forecasts.

Connect with analysts to gain deeper insight into Interaction research and trends.

Get in-depth analysis and actionable recommendations Yankee Group’s products and Consulting services provide clients the insight, tailored to your needs. analysis and tools to navigate the Events Access world-class events live and online with global connectivity revolution. industry leaders and Yankee Group experts.

Ted Julian, Principal Analyst

Ted Julian is a principal analyst in Yankee Group’s Anywhere Network research group. He leads the company’s research in the area of network intelligence — the emerging solutions and technologies that help service providers design and deploy flexible, scalable and secure services over the intelligent IP network. He provides actionable advice regarding network policy management platforms, deep packet inspection (DPI), peer-to-peer communications, Web-based security, AAA, managed DNS services, DNSSec and IPv6. rs rte ua dq ea H

Corporate European © Copyright 2011. Yankee Group Research, Inc. Yankee Group published this content for the One Liberty Square 30 Artillery Lane sole use of Yankee Group subscribers. It may not be duplicated, reproduced or retransmitted in whole or in part without the express permission of Yankee Group, One Liberty Square, 7th Floor LONDON E17LS 7th Floor, Boston, MA 02109. All rights reserved. All opinions and estimates herein BOSTON, MASSACHUSETTS UNITED KINGDOM constitute our judgment as of this date and are subject to change without notice. 617-598-7200 phone 44-20-7426-1050 phone 617-598-7400 fax 44-20-7426-1051 fax