DDoS Attacks: If Money's Not The Motivator Anymore, What Is?10:54 AM EST Mon. Feb. 13, 2012
Money used to be the driving force behind Distributed Denial-of-Service attacks, which often were launched for competitive reasons or outright extortion. Not anymore. The pursuit of profit has been replaced by ideology as the single biggest reason for groups or individuals to try to take down an organization's or government agency's Web site. Any organization can become a target, as a plethora of DDoS attack tools are readily available on the Web. "What we saw in 2011 was the democratization of DDoS," said Roland Dobbins, solutions architect for security vendor Arbor Networks.
Following are the top eight trends listed in Arbor Networks' seventh annual Worldwide Infrastructure Security Report.
Of the 114 mobile and fixed wireless service providers surveyed for the report, 35 percent said hactivism was the No.1 motivation for DDoS attacks, followed by nihilism or vandalism. The shift away from money means a sea change in the risk assessment model for network operators, according to Arbor Networks. Making the problem worse is easy access to tools that almost anyone can use to launch an attack.
Respondents found a significant increase in the number of flood-based DDoS attacks in the 10-Gbps range. With such large assaults becoming the norm, network operators have had to prepare for them on a routine basis. The largest attack listed in the report was 60 Gbps. Such assaults represent serious threats to network infrastructure and ancillary support services, such as DNS, according to Arbor Networks.
Application-layer DDoS attacks grew in number and sophistication and have now become commonplace. Complex, multivector DDoS assaults with flood-based and application-layer attack components are quickly gaining in popularity with attackers.
A significant number of mobile and fixed wireless operators reported that detecting security threats on their networks remained difficult. Although these companies were in the minority, Arbor Networks said their inability to detect infected hosts pointed to significant blind spots in their networks. More than 40 percent of respondents were unaware of what percentage of their subscriber base may be compromised and participating in botnets.
Last year marked the first time survey respondents reported seeing IPv6 DDoS attacks on their networks. Arbor Networks called the attacks a "significant milestone" in the arms race between attackers and defenders. The reports confirmed that network operators need visibility and mitigation capabilities to protect IPv6-enabled properties.
Despite reports of the first IPv6 DDoS attacks, the incidents were relatively rare last year. While deployment of the latest Internet Protocol has increased, it has not reached a level where it is profitable for cybercriminals to pay serious attention to it. The rarity of attacks also indicated that a lot of iPv6 network traffic may not be monitored, so threats were most likely missed.
Firewalls, intrusion prevention systems and load-balancing devices were failing under DDoS attacks. Respondents reported that state-table exhaustion was the primary reason for the failures. Network operators said they needed the capability to defend these stateful devices against DDoS attacks.
Network operators reported they seldom worked with law enforcement in DDoS attacks. As in previous years, respondents said they lacked confidence in law enforcement's capabilities and willingness to investigate online attack activity. Network operators also were dissatisfied with current government efforts to protect critical infrastructure.