March 2011 DoS Attacks Are Bigger and Badder Than Ever by Ted Julian, Principal Analyst, [email protected] The Bottom Line More people are launching bigger and more sophisticated denial-of-service (DoS) attacks at more targets than ever before. Virtually any organization is a potential target and, unlike other security challenges, firms can’t address DoS attacks without provider assistance. Now that demand is peaking and technology has matured, operators should take advantage of this unique opportunity to drive revenue. DoS Attacks Are Back by hacktivists in the future is a contributing factor (see the December 2010 Yankee Group Report “WikiLeaks Effect Creates Denial-of-service (DoS) attacks are back in the spotlight. Certainly, New Security Winners, Losers”). But the fact is DoS attacks have the December 2010 attacks against the WikiLeaks Web site and evolved quite a bit over the last 10 years. DoS activity is no longer then the counter-attacks by WikiLeaks sympathizers against primarily the bailiwick of teenagers launching crude flood-based targets including MasterCard, PayPal, Visa and others are partly attacks. It has evolved to include a diverse range of motivations and responsible. And WikiLeaks’ role as a catalyst for more attacks techniques (see Exhibit 1). Exhibit 1: DoS Attack Complexity, Volume and Motivation Increase Over Time Source: Yankee Group, 2011 June 2009 Iranian election protests trigger DoS attacks against Iran’s government July 2009 Series of DoS attacks target U.S. government sites including the White House, Department of Transportation, Federal Trade Commission and Department of the Treasury October 2002 DoS flood disrupts service August 2009 at nine of the 13 DNS Social networking sites, including Twitter and Facebook, experience root servers outages as collateral damage of DoS attacks against a Russian blogger 1980 1990 2000 2010 November 1988 July 2001 December 2010 Arguably the first Code Red worm DoS attacks worm and first DoS attacks a list of target WikiLeaks “attack,” the Robert IP addresses, and WikiLeaks Morris Worm including the Web sympathizers target unintentionally site for the U.S. MasterCard, PayPal, wreaks havoc White House Visa and others on the nascent Internet February 2000 April-May 2007 DoS attacks shut Series of DoS down Yahoo, eBay attacks against and Amazon Estonian targets suggest political motivation © Copyright 2011. Yankee Group Research, Inc. All rights reserved. DoS Attacks Are Bigger and Badder Than Ever Methodology • Activism. The WikiLeaks attacks are the latest example of DoS attacks being used to promote activist agendas. Why risk For this report, Yankee Group conducted more than 20 interviews a dangerous protest if you can garner publicity for your cause with network operators like AT&T and Verizon, specialized service from the comfort of your couch? The combination of point-and- providers like Akamai and VeriSign, and equipment vendors like click attack tools and social media as an organizing mechanism is Arbor Networks and Radware. These interviews provided a basis making activist attacks easier than ever. for the qualitative and quantitative analysis in this report while also informing our review of past, present and future trends in As a result, while DoS attacks used to be primarily targeted DoS attacks. In the course of conducting this research, it became at household names and other obvious targets, nowadays any clear that not only were DoS attacks growing substantially (the organization with money to lose, political interests or activist WikiLeaks attacks occurred just as our research process began), enemies—effectively anyone—is a potential target and should but as a result, so was interest in solutions. Indeed, service consider protection. providers of all types are in the process of either creating new solutions or refining the ones they already have. And they are More Volume actively evaluating buy vs. build vs. partner options to achieve these objectives. The brief vendor profiles included in this report are Ask any security engineer at a service provider about attack intended to help inform those activities and give enterprises a head volume and they will wax nostalgic over the size of yesterday’s start in their evaluations. attacks, saying things like, “It was a 100 meg attack and we were freaking out. We thought that was huge!” That’s because attack DoS Attacks Are Badder Than Ever volume continues to grow. In fact, multiple providers reported attacks in 2010 that crossed the 100 Gbps barrier. According DoS attack frequency and volume has increased substantially to Arbor Networks, 2010 DoS attack size more than doubled over the last two years. According to Arbor Networks’ 2010 compared to 2009 (see Exhibit 2). Infrastructure Security Report, 69 percent of network operators surveyed reported at least one attack per month, while 35 percent Exhibit 2: DoS Attack Size Doubles to 100 Gbps reported 10 or more per month, up from 18 percent in 2009. More Source: Arbor Networks’ 2010 Infrastructure Security Report frequent attacks are the result, at least in part, of a growing array DoS Attack Size Over Time Bandwidth in Gbps of attackers with a wide range of motivations, including: 100 100 • Organized crime. Using DoS attacks for extortion is not 90 80 new. Historically, such attacks were primarily targeted at online 70 60 gambling sites, but more recently retailers have become targets 49 50 40 as well. In either case, the attacker launches a sample attack 40 prior to a major sporting event or holiday, and then demands 30 24 20 17 protection money to ensure it doesn’t happen again. Providers 10 10 0.4 1.2 2.5 also report evidence of competitive attacks (e.g., one retailer 0 arranging to have a competitor attacked during the holiday 2002 2003 2004 2005 2006 2007 2008 2009 2010 shopping season or around a major product launch). • Politics. Attacks like those in 2009 during the Iranian election and around July 4 against a range of U.S. government targets contribute to a growing body of evidence that governments are sponsoring attacks for political motivations. Cybersecurity pundits fear not only increasingly large and sophisticated DoS attacks, but also multifaceted attacks of which DoS is just a component or a diversionary tactic to cloak something more sinister. 2 © Copyright 2011. Yankee Group Research, Inc. All rights reserved. March 2011 Attack volumes of this magnitude wreak havoc not only at Exhibit 3: Dynamic Attacks Require Dynamic Protection the customer edge, but also occasionally in the provider core. Source: Akamai, 2010 This has two important implications. First, enterprises can’t effectively protect themselves. Their provider links can easily become saturated, rendering the organization unreachable and any edge protection ineffective. As a result, protection for all but the largest, most sophisticated organizations must come via a service from an upstream provider—like a Tier 1 carrier or DoS protection specialist—with the network resources to support effective protection. Second, providers must protect themselves or risk congestion that impacts multiple customers. Most providers have done this over the last 10 years and are also now proficient at cooperating with other providers to address the largest, most widely distributed attacks. More Sophistication Though basic DoS floods remain an issue, attackers today are a lot more sophisticated, requiring providers to become increasingly resourceful in their countermeasures. Not only are there more DoS attack types in the modern arsenal, attackers have learned to adapt their tactics, morphing attacks to outwit countermeasures as soon as they’re in place. Today’s DoS attack kit includes: • Basic volumetric attacks. From the equivalent of clicking reload really fast on a bunch of browsers to Internet Control Message Protocol (ICMP) floods, attackers have tried different protocols and leveraged botnets (legions of compromised Times Above Normal Pages Peak Attack Time computers) to generate enormous amounts of highly distributed US Customer #1 9,095x 11/30 traffic. By overwhelming the target with these bogus requests, US Customer #2 5,803x 12/1 volumetric attacks make it impossible for legitimate requests to US Customer #3 3,115x 11/30 receive a response. US Customer #4 2,874x 12/1 • Dynamic attacks. In the old days, attacks would be a simple US Customer #5 1,807x 12/1 flood, maybe of a new protocol, but once the provider identified the attack and characterized it, it could implement protection and get on with its life. Not anymore. Providers report that dynamic attacks—those that change their attack mechanisms, rotate different botnets in and out of use, and vary their targets—are becoming more common. See Exhibit 3 for a dramatic illustration of a series of concerted, targeted, dynamic attacks. Notice the series of peaks during the attack as attackers changed tactics and the provider responded. © Copyright 2011. Yankee Group Research, Inc. All rights reserved. 3 DoS Attacks Are Bigger and Badder Than Ever • Asymmetric attacks. These attacks make small bandwidth • Cloud-based attacks. Although attacks through cloud requests that result in large processing requirements for the target. providers have yet to become commonplace, security pros are For example, requests for images, movies or other downloads worried about the potential for DoS attacks from compromised are quite small, but they create a lot of work for the target server. cloud services. After all, the ability to rapidly scale up traffic is a Attacks that generate a bunch of these small requests can result in key strength of cloud platforms. Compromised cloud provider denied service, but in such a way that they don’t trigger detection accounts would make a great botnet. mechanisms looking for huge variances in incoming traffic volume. • Attack tools. Not only have attackers come up with a • Infrastructure attacks. While many early attacks targeted bunch of attack types, they’ve created point-and-click attack Web sites, many other infrastructure components can be directly generators to make it easy.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages9 Page
-
File Size-