UK gambling company warns of DDoS-attack risk

A major UK gambling business has warned that all commercial websites are at risk from a new type of unstoppable and undetectable botnet denial-of-service attack.

Gala Coral e-commerce's gambling sites were taken down for almost 30 minutes by the next-generation 10Gb distributed denial-of-service (DDoS) attack, delegates at the e-Crime Congress 2008 in London were told this week.

Cybercriminals disguised the build up of traffic from up to 30,000 PC and Apple Mac botnet computers during the attack by analysing and reproducing the browsing habits of the sites' typical users.

Peter Bassill, information security officer with Gala Coral E-Commerce, said attackers spent about four months infiltrating the sites ahead of the attack last year, using stolen credit-card details to open the thousands of accounts needed to generate the huge volume of web traffic required for swamping Gala Coral's servers.

More worryingly, during a second attack, the botnet blocked attempts by the websites to stop it using a port firewall, while continuing sending out data to carry on the attack.

Bassill said: "This is a very worrying step we have seen in botnets; we have no way of responding to this without working with law enforcement. The attacks will come from many hosts in small volumes and they are going to be very hard to spot."

"If they can do that to us, a large gaming company, then think what they could do if they find a way to target companies like BT or the nuclear-power industry," Bassill added.

Bassill said DDoS attacks brought its websites down about twice per year and attacks were often preceded by demands for more than $100,000 (£50,000).