No wonder the Pentagon has announced it’s working on a plan to fund tools and researchers to help organizations defend themselves against the pervasive threat of cyber assaults known as distributed denial-of-service (DDoS) attacks.
In recent days, the agency said it’s looking to fund researchers who can come up with tools as part of a program starting next April that would, among other things, help organizations recover from DDoS attacks in a maximum of 10 seconds. And the acknowledgement of that hunt for researchers for the program, called Extreme DDoS Defense, arguably comes not a moment too soon.
A few new industry reports are out that show the number of DDoS attacks is trending upward, even hitting new highs. Their provenance and targets take many forms – from organized, malicious hackers targeting sophisticated organizations to more isolated incidents where, experts say, the intent is to just find a weakness somewhere, anywhere. But the result is a kind of cyber blitz that’s growing in number and aggressiveness.
New York Magazine was among those organizations recently hit by a DDoS attack, and at a critical moment. After publishing the blockbuster results of an interview with 35 women who’ve accused Bill Cosby of sexually assaulting them, the magazine’s website was knocked offline by what appeared to be a DDoS attack.
Attacks like those, said Incapsula co-founder Marc Gaffan, are not only on the rise but “have essentially been going up for the last two years, quarter over quarter.”
His company is a cloud-based application delivery service. According to another cloud services provider, Akamai Technologies, DDoS attacks were up 132% in the second quarter compared to the same period in 2014.
During the period between April and June this year, Akamai’s research also found 12 attacks it described as “mega attacks” – which peaked at more than 100 gigabits per second and 50 million packets per second. What’s more, the company said, few organizations are able to mount a strong enough defense to keep attacks like that at bay.
“The threat posed by distributed denial of service (DDoS) and web application attacks continues to grow each quarter,” said John Summers, vice president of Akamai’s cloud security business unit. “Malicious actors are continually changing the game by switching tactics, seeking out new vulnerabilities and even bringing back old techniques that were considered outdated.”
Once upon a time, Gaffan said, the attacks were largely the work of hackers looking to make a name for themselves, to make some larger point or to go after a controversial target to inflict some degree of discomfort.
“They’re also about extortion and ransom,” Gaffan said. “They can be used to stoke competitive feuds, as well as a diversion for a larger attack. When it comes to extortion, attackers are looking online for businesses who’d suffer significantly if their website is down. Most companies don’t pay the ransom.
“Often, we also see ransom numbers so small, they try to make it low enough that it’s a no-brainer for organizations to pay. Companies also hire DDoS gangs to take competitors down. There was one organization that came to us and said, ‘We were attacked.’ Two minutes later, a competitor put on Twitter that they were going out of business, and that’s why their site was down.”
Such attacks continue to be a costly problem for the organizations that end up as targets.
The Q2 2015 Global DDoS Threat Landscape from Incapsula showed, of network layer DDoS attacks, the longest during the quarter lasted 64 days. A little more than 20% of all attacks lasted over five days.
The report based its data on 1,572 network layer and 2,714 application layer DDoS attacks on websites using Incapsula services from March 1st through May 7th.
According to the organization’s DDoS Impact Survey, an attack on average costs a business $40,000 per hour. Implications include the loss of consumer trust, data theft, intellectual property loss, and more, according to the report.
The report went on to note the longest application layer attack it found lasted for eight straight days. The average duration stretched for just over two and a half hours. And in the second quarter, almost 15% of all application layer DDoS traffic came from China, followed by Vietnam, the U.S., Brazil and Thailand.
“What is most disconcerting is that many of these smaller assaults are launched from botnets-for-hire for just tens of dollars a month,” the organization’s threat landscape report reads. “This disproportion between attack cost and damage potential is the driving force behind DDoS intrusions for extortion and vandalism purposes.”
Meanwhile, Arbor Networks Inc., a provider of DDoS and advanced threat protection solutions for enterprise and service provider networks, found similar results. Its just-released Q2 2015 global DDoS attack data shows growth in the average size of attacks, with 21 percent of attacks during the quarter topping 1 gigabit per second.
“One thing we see a lot of is just probing, just hitting the network as hard as they can to see where it will fall down,” said Gary Sockrider, principal security technologist at Arbor. “Another is where this is used for extortion. Where the business model is ok, now we’ve done this – pay us money.”
Sockrider continued, “The lesson to take is this isn’t just a service provider problem. It’s no longer sufficient to leave it to deal with upstream. It’s everybody’s problem. You have to understand that threat, that you are a potential target, and bake that into your business resiliency planning.”