DDoS Attacks Take on Political Motivations as Attackers Evolve

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:32:52


DDoSDDoS attacks come in all shapes and sizes, and in a lot of cases, the victims of the attacks don’t much care who is executing the attack or why. They just know that their network is being overwhelmed with junk traffic. But the last year has seen a major volume of politically motivated attacks, and new research shows that as much as 35 percent of DDoS are the result of some political or ideological motivation.

Arbor Networks, in a survey of more than 100 security engineers, architects and executives at data centers, found that not only are attackers going after some targets for political or ideological reasons, many of the attacks were of fairly large volume. In fact, 25 percent of the attacks reported by the respondents were bigger than the entire incoming bandwidth of the data center. Also, Arbor found that there were more attacks that were larger than 10 Gbps.

“The largest reported DDoS attack during the survey period was 63.5 gb/sec, in contrast with the 100 gb/sec attack reported in the 2010 WISR. Network operators should not misconstrue this as decreasing severity of attacks. To the contrary, network operators should understand that an attack in the tens of gigabits per second is more than sufficient to take down most businesses, and that this data underscores how extremely serious a threat these increasing attacks are to network infrastructure and ancillary support services such as DNS — not to mention end-customer properties,” Arbor said in its report.

The DDoS attack problem never really goes away, it just sort of morphs and evolves as the years go by. Sometimes the news is full of stories about large attacks that have taken entire companies offline or caused large Web sites to go dark for a few hours. And other times things seem to be quieter, but the attacks are always out there. They may be smaller and quieter than the others, but they’re still there.

Research published Monday by Radware, based on a survey of enterprise IT staffs, found that in 2011, 76 percent of the DDoS attacks the respondents experienced were less than 1Gbps. Those attacks, in many cases, were both network and application attacks, rather than the more common network-only attacks. Network attacks are the classic form of DDoS and are fairly simple to accomplish with a wide variety of freely available tools. Application attacks are somewhat different in that they typically don’t involve huge amounts of spoofed traffic from botnets.

“The impact of application flood attacks are much more severe than the network flood attacks – it is much easier to detect and block a network flood attack (which is about sending a large volume of irrelevant traffic such as UDP floods, SYN floods and TCP floods, typically spoofed) rather than an application flood attack where the attackers are using real IP addresses from real machines and running complete application transactions – it’s the users which are not real,” Radware said in its report.

The company’s data shows that more than half–54 percent–of the DDoS attacks reported by its respondents were targeted at the application level, including SMTP, HTTP and DNS. Of the attacks that went after the network, 25 percent were simple TCP floods.

Arbor, in its report, also found that 50 percent of its respondents reported some sort of network-level DDoS attack.

“Respondents indicate that sophisticated layer-7 DDoS attack methodologies have become commonplace, and that complex multi-vector DDoS attacks with both volumetric and layer-7 attack components are rapidly gaining in popularity with attackers,” Arbor said.