'

Size of DDoS group 'doesn't matter', security agency says

A European security agency has said that the numbers needed for a successful denial-of-service attack are significantly lower than those typically reported

The number of people needed to launch a successful denial-of-service attack has been overestimated by the press, according to the European Network and Information Security Agency.

Attacks such as those by pro-Wikileaks groups need significantly fewer participants than has been reported, the European Network and Information Security Agency (Enisa) said on Tuesday. Visa was taken down by a distributed denial-of-service (DDoS) attack from roughly 500 machines, Ulf Bergstrom, Enisa's spokesman, told ZDNet UK on Thursday.

"An attack can be constituted by much fewer machines [than was thought], and that is quite concerning and quite an important point to make," Bergstrom said.

DDoS attacks against Wikileaks, Visa, PayPal and various government sites all demonstrated that "size doesn't matter: the number of computers used in the attacks was relatively small (in the hundreds). Some press reports claim over six times the real number, which is indicative of the unreliability of information about botnets", Enisa wrote in a statement on Wednesday.

Enisa will release a report in January 2011 that will examine botnet measurement, detection, disinfection and defence.

The agency highlighted that cloud infrastructures can be more robust against DDoS attacks, although Bergstrom declined to identify the more resilient infrastructures.

Pro-Wikileaks supporters attempted to launch a DDoS attack on Amazon.com on 9 December, according to reports, but were unable to affect the site, which shares infrastructure with Amazon's cloud computing subsidiary Amazon Web Services.

Enisa also noted that the tool used for DDoS attacks by Wikileaks supporters — the low orbit ion cannon (Loic) — represents a security risk when used in 'Hivemind mode', as this allows a third party to remotely execute commands on a Loic-users computer.

Two types of denial-of-service attack were used by pro and anti-Wikileaks supporters. Application layer attacks — used against Wikileaks — targeted specific parts of a website to cut service, and appeared to require only one participant. IP-targeting attacks used by pro-Wikileaks supporters flooded the internet protocol (IP) address of a website to knock it offline.

These two types represent the two main "flavours" of DDoS that security professionals see, according to security firm Arbor Networks' chief scientist Craig Labovitz.

"There are two ways we judge the impact of a DDoS attack: it's either the size or the sophistication of the attack. There were efforts on both size and sophistication last week, but neither were very big or very sophisticated. Most of the [Wikileaks] attacks last week were minor," Labovitz said.