Politics biggest DDoS motivator: Arbor

A survey by Arbor Networks has shown that service providers dealing with distributed denial-of-service (DDoS) attacks believe them to be ideologically motivated, rather than financially motivated or acts of vandalism.

The company asked 114 internet service providers (ISPs) and hosting providers about their experiences with DDoS from October 2010 to September 2011. A whopping 35 per cent said they believed politically motivated attacks to be most common. This was followed by over 30 per cent of respondents believing that the attacks were most commonly motivated by vandalism.

This result surprised Arbor Networks, which believed that most ISPs would say that they didn't know the cause of attacks. Less than 20 per cent said they didn't know what was the most common cause of the attacks.

Other causes for DDoS attacks included online gamers striking out at each other, companies paying criminal elements to attack their rivals and extortion attempts, where a company is asked for money in return for the cessation of a DDoS attack.

"What we're seeing is a growth in the DDoS numbers," said Roland Dobbins, Arbor Networks solutions architect for Asia, adding that the growth in ideological attacks wasn't taking away from the number of attacks conducted for other reasons.

However, Dobbins said that even ideologically motivated attacks were putting money in the pocket of criminals, because those conducting the attacks were paying money for tools or for botnets to do so. The services were easy to use and relatively inexpensive, he said.

"They actually make use of commercial DDoS actors," he said. "The criminals, this is how they get bread on their table."

Less than 10 per cent of survey respondents said that they had encountered no DDoS attacks. Most of them (between 40 and 50 per cent) were experiencing between one and 10 attacks a month. Around 15 per cent saw 11 to 20 attacks a month, around 10 per cent saw 51 to 100 attacks and another 10 per cent 101 to 500 attacks a month. There was a small proportion that had the misfortune to see over 500 attacks a month.

In over 70 per cent of cases, the target of the attack was a customer.

"Any organisation can be a target," Dobbins said. He believed that organisations needed a situational awareness of geopolitical events and controversies in their home country, but also in the country housing their suppliers to successfully ward off DDoS attacks. "Increasingly, the cost of doing business online is that you need to take insurance against DDoS attacks," he said.

Some countries have laws requiring organisations to have mitigation tools for DDoS, but Australia did not, Dobbins said. He said it was something that needed to be considered with the National Broadband Network on the way, because what was the use of having a fat pipe if it was being clogged by denial-of-service attacks?

Over 30 minutes on average was required for over 30 per cent of respondents to mitigate attacks, while 25 per cent said they need less than 20 but more than 10 minutes. The most common tools used to mitigate attacks were access control lists or firewalls, although some respondents used destination- or source-based remote-triggered blackholes, intelligent DDoS mitigation systems or other tools.

Almost 74 per cent of respondents said they didn't refer DDoS incidents to law enforcement because of a lack of resources and time, and also the feeling that law enforcement wouldn't be able to do much about the attacks. However, almost 82 per cent of respondents said that government CERTs (Computer Emergency Response Teams) had a positive role to play in security incident response and welcomed their involvement.

With IPv4 addresses running out and ISPs shifting to IPv6 to compensate, over 65 per cent of respondents said they were concerned about IPv6's security features. A total of 60 per cent said they had little or no visibility into their IPv6 traffic and therefore had no way to detect, classify and track IPv6 attack traffic on their networks. Arbor said that the first IPv6 DDoS attacks had been found in the wild, lending weight to the ISPs' concerns.

Over 63 per cent of the respondents operated datacentres. Of those, over 56 per cent had experienced attacks that sought to take down targets within their datacentre. The DDoS attack had exceeded the uplink capacity of the datacentre to the core network in 25 per cent of cases, a 10 per cent increase year-on-year. In general, 10Gbps DDoS attacks were becoming more frequent, Arbor Networks said.

Dobbins said that the datacentre attacks were problematic because they often took out customers who weren't the target but were sharing infrastructure, although he pointed out that in most DDoS cases, the collateral damage was broad. For example, in the case of a gamer trying to take out another gamer, all the DSL connections in the area might be affected, or the ISPs infrastructure itself.