A Distributed Denial of Service (DDoS) attack is a coordinated attempt to disable your website by multiple connected online devices. It can happen to any unprotected website online. The aim of the attack is to overwhelm a target website with fake traffic. The excessive amount of traffic will cause the website servers to crash making it unavailable to intended users.
The attacks can come in many forms, here are two examples
- Sophisticated DDoS attacks – target a weak point in the application layer. The attack requires little bandwidth and can be identified and prevented by the customer using appropriate protective mechanisms.
- DDoS brute-force attacks – are generally based on the network layer and are carried out by several dispersed computers (botnets).
A device can become contaminated with a bot from a malware (malicious software) distribution, like a spam email. The device will then play host to one or more bots and they create fake traffic to the target website. The device owner is more than likely unaware this is happening. More importantly, the target website owners may also be unaware of what is happening.
The botnet controller (bot herder) can direct the army of compromised devices from a remote location, making it hard to trace their traffic and catch the culprit. Unlike single-source DoS attacks, DDoS attacks tend to target the network infrastructure to saturate it with huge volumes of traffic. DDoS attacks are harder to intercept and detect because of the sheer volume of incoming traffic from the devices involved. DDoS attacks don’t typically breach your security perimeter, such as your firewall. At the beginning it just appears to be an unexplained spike in traffic. As it persists, you realise there is a bigger issue and at this stage your website and servers are unavailable to legitimate users. While this is a massive inconvenience and potentially costly, the DDoS may just be distraction for more sinister activity. While you scramble to get your website live again, the real attack is happening to your security applications to allow cyber vandals to go after a bigger prize, like customer data.
Why would anyone carry out a DDoS attack?
At this point you may be thinking ‘my enemies wouldn’t stoop so low’. Or you’ll do a quick mental -audit of the security measures your website has in place. You may feel your website, or the analytics tool has enough eyes on it to spot something going wrong. The people who execute DDoS attacks are indiscriminate in target and unscrupulous in rationale. There are lots of reasons your website could be subject to a DDoS attack. In some cases, the attack may have been carried out by legitimate businesses on websites infringing on copyright or intellectual property. In most cases, the motives are more sinister. It could be a show of force by a group of ‘hacktivists’ or an attempt to bring attention to their cause.
In some cases, it could be a deliberate attempt to extort money from a SME or large multinational. Once the attack is in place, the attackers will send a ransom note outlining what it will cost to remove the DDoS. Companies such as e-commerce retailers or financial institutions are particularly vulnerable. The attackers will know that these companies’ business models and revenue streams are web dependent. A DDoS attack can prove to be very costly. DDoS attacks can last hours, days, or even weeks. Obviously, the longer a DDoS lasts the greater the impact on critical KPIs like revenues, consumer trust and brand reputation. If you don’t cave into the ransom demand, you will need to source, implement and pay for a solution. There will be further costs to consider if a company is required to pay compensation to clients. If knowledge of the attack is made public, you may need to undertake a marketing campaign to repair any reputation damage.
How do you know if DDoS attack has happened?
The short answer is if you are unprotected you won’t… until it is too late. Some large hacking groups have sent threats across social media to gain attention. Unless the hacktivists are targeting a high-profile website to garner publicity, DDoS attacks generally occur without warning. If the attack is an attempt to extort money from the victim, the command to attack your site will certainly come with no warnings at all. Companies don’t normally spend their workday browsing their own website. If you are monitoring traffic in an analytics tool, you may notice some unusual activity. It may take time to fully realise what is happening; websites can go down from time to time without anything malicious occurring.
The first real alarm bell might come from customers complaining on social media. You check your server and hosting to make sure they are not the issue. You perform some basic tests and find a high amount of network traffic with resources maxed out. You check for virus programs, but you don’t find any working in the backend of your website. By now you have realised you are under a DDoS attack. This may take hours to understand, all the while your website has been offline with no explanation. If you generate revenue online, you are now losing money and will continue to do so if the attack lasts.
DDoS Crossfire – Operation Payback
Operation Payback was a group of DDoS attacks on high-profile opponents of Internet piracy. The perpetrators identified themselves as the Internet activists “Anonymous”. In 2010, several Bollywood companies issued ‘take down’ notices to websites that distributed their films illegally. As expected, these pirate sites did not respond. The Bollywood companies then hired Aiplex Software to launch DDoS attacks on these pro-piracy websites. Operation Payback was launched as a retaliation to these DDoS attacks. It then snowballed into attacks on major pro copyright and anti-piracy organisations, law firms, and individuals. The Motion Picture Association of America (MPAA) and International Federation of the Phonographic Industry were two victims of Operation Payback. They suffered a combined total downtime of 30 hours. In the following days, Operation Payback then attacked a multitude of sites affiliated with the MPAA, such as the Recording Industry Association of America (RIAA), and British Phonographic Industry. They then targeted some of the large Law firms these companies retained.
One of the law firms in the UK, ACS:Law was subject to Operation Payback. When asked about the attacks, Andrew Crossley, owner of ACS:Law, said: “It was only down for a few hours. I have far more concern over… having to queue for a coffee than them wasting my time with this sort of rubbish.” When the site came back online a 350MB backup file was available for download for a brief period. The backup contained lots of sensitive information, which was posted onto various peer-to-peer networks and websites. Some of the information contained unencrypted Excel spreadsheets, listing the names and addresses of people that ACS:Law had accused of illegally sharing media. One contained the details of 8,000 Sky customers accused of infringing the copyright on music by sharing it on peer-to-peer networks. This alleged breach of the Data Protection Act has become part of the ongoing investigation into ACS:Law by the Information Commissioner’s Office.
The Business Protection Solution
The only way you can prevent a DDoS attack is by having protection in place to deal with it. Much like in the medical world, prevention is better than a cure. Virgin Media Business’ DDoS Protection Service stops DDoS attacks against your business and ensures that services remain available to your customers. Once the protection is activated, the system constantly analyses the data stream for anomalies. When an attack is detected at the early stages, the data stream of fake traffic is diverted by the Threat Management System (TMS). The TMS appliances are located in scrubbing centres within the Virgin Media Business European backbone. An Internet backbone is a data route between large, strategically interconnected networks that requires high-speed bandwidth connections and high performance servers/routers. In the scrubbing centres, the fake traffic data stream designed to create the DDoS is separated from the real data traffic of genuine users. With the protection in place, the only delay a genuine website visitor would encounter would be due to the traffic being temporally rerouted through a TMS appliance. Due to the scale of the Virgin Media Business European backbone, even under large scale attacks, delays would be minor. After this separation process, the clean data stream is transferred to the website so that the customer can continue to do business, unaware there was ever a problem.