• On MovieTome: New TERMINATOR 4 images are online!
November 11, 2008 10:20 AM PST

Study: DDoS attacks threaten ISP infrastructure

Posted by Robert Vamosi
  • Font size
  • Print

Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.

(Credit: Arbor Networks)

Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.

The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.

Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."

In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."

One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.

While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.

Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.

The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.

But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."

(Credit: Arbor Networks)

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

News,

Vulnerabilities & attacks

Tags:

security,

Arbor Networks,

bots,

botnets,

ISP,

DNS,

DDoS

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Study: Data breaches rose in 2008
Fake celeb LinkedIn profiles lead to malware
Hackers hit MacRumors keynote coverage
Alarm systems at risk: UL establishes a higher security requirement for magnetic switches
Twitter phishing scam may be spreading
'Curse of silence' smartphone flaw disclosed
Defense contractors eye cybersecurity bonanza
Web browser flaw could put e-commerce security at risk
Add a Comment (Log in or register) 5 comments
by The_Decider November 11, 2008 2:22 PM PST
The solution to DDOS lies not in actions that an ISP or law enforcement can take. There are two viable solutions to this problem, doing either will solve or mitigate plenty of other security issues.

1. Ban all MS OS's.

2. Force MS to produce a secure OS that is not so easy to BOT without the users knowledge.

If the DDOSers want to attack, then they will be forced to use methods that will be easy to trace to them.
Reply to this comment
by NikEst November 11, 2008 3:32 PM PST
The_Decider: It's not that simple. Your 'solution' will probably only stall the attacks. Every OS is vulnerable to this, pretty much no matter what. You suggest stopping the use of only MS software, but if everybody suddenly switch to say linux or os x, we'd see a very steep increase in security holes in those OSs simply because it's now worth hacker's time to find and use holes in those OSs.
Reply to this comment
by Michichael November 11, 2008 5:15 PM PST
Pretty much. It's an age old argument - other OS's are not more secure because there are less exploits - there are less users to begin with so flaws in the OS are not as easily apparent. Not to mention it's not "worth" hacking a linux box if there's nothing to be gained by it. Most people use a Windows PC. If you've got a village in the middle of nowhere that you want to rob and ambush, with a main road, 4 lane road, and multiple little bike paths into it - you'd monitor that main road and try to ambush people on that, as you've got a far better chance of turning a profit by attacking the thing people use.
Reply to this comment
by oldmanriver2 November 13, 2008 8:33 AM PST
The comment in the article on 'reflective' attacks does not seem accurate. As far as I've always thought, this variant doesn't redirect traffic away from the target... it uses packets with forged source headers (using the target's address) and sends them to a third party, who tries to respond to the source (the target).
Reply to this comment
by ManuelLabor November 14, 2008 10:13 AM PST
The argument that Windows is only the target because it's popular holds no water either. Which do you think a cracker would desire more, breaking into a few multigigabit linux servers, or working to build a network of tens of millions of dsl and cable based machines? With linux machines, you need far fewer to pack the same punch as a gigantic windows botnet. So, linux would obviously make the better target. Windows isn't the target because it's popular. Windows is the target because it's easy.
Reply to this comment
advertisement

In the news now

Apple: DRM-free tunes, unibody MacBook Pro

roundup At Macworld, Phil Schiller touts 10 million songs sans DRM, plus 69-cent songs, a unibody 17-inch notebook, iLife updates, and more.


Countdown to CES

special coverage The tech community descends on Las Vegas as the Consumer Electronics Show gets ready to kick off in all its gadgety glory.


About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET