‘Tis the Season for DDoS Attacks
On the East Coast, November marks the end of the official hurricane season. Just as our hurricane season is ending, however, a different kind of storm season is starting: Internet storms. From November 15 through February 28, denial-of-service (DoS) floods and other “storm” attacks pick up, particularly around the holidays. In fact, last year our Security Operations Center recorded its ten biggest days of Distributed DoS (DDoS) attack activity between November and February, with its highest single-day spikes in early and mid-December. Over the last two years (2014 and 2015), DDoS attacks have risen an average of nearly 150% from summer to winter.
Hackers don’t take a holiday, at least when it comes to DDoS attacks.
Why the seasonal spike in DDoS attacks? Because the holidays are when retailers and other businesses have the most to lose from DDoS strikes. The winter holidays represent about 20% of all U.S. retail sales annually (over $3 trillion), not to mention the money they generate for shipping companies, credit card companies and other supporting industries.
DDoS attacks are usually perpetrated for one of two reasons: financial gain or notoriety (and, sometimes, both). It requires the same effort to take down a retailer’s site for a few hours in August or December, but the potential damage is far greater in December—and so, logic dictates, is the price that retailers would pay not to be attacked by a credible threat.
What kind of person would extort money from businesses during the holidays? You might be surprised. The image of the computer-geek-turned-rogue is still valid, but today’s DDoS perpetrators are just as likely to be teenagers with little or no coding experience. DDoS-for-hire services have been cropping up on the Internet to the extent that buying a DDoS attack is not much different than buying a pair of shoes online: you go to a site, pay for the size you want and give them the IP or website address to send it. (A sobering fact: anyone with an Internet connection can locate an IP address for a website or DNS server in about 20 seconds.)
DDoS attacks themselves remain sophisticated, however. Today, most DDoS attacks are Amplification and Reflection attacks. Exploiting the User Datagram Protocol (UDP) to send spoofed packets to their target. UDP Reflection works by spoofing someone’s ID and sending out thousands of requests for information, which flood the spoofed IP address. As an example, think of someone sending a request *From* your email to all of your friends requesting baby pictures or recipes, then having your email inbox flooded with the unwanted responses. That would be an example of a UDP Reflection attack. The UDP Amplification refers to the amplified response from the reflecting device. It starts with a botnet (a collection of compromised computers or other IP-connected devices) that sends out small questions with a spoofed ID. Those requests generate a large amplified response from the UDP devices, such as DNS servers or home routers. In effect “amplifying” the amount of noise that the botnet initially creates.
Fortunately, a little flood protection can go a long way during the holidays. Neustar even offers a DDoS mitigation service, SiteProtect, that can be turned up just in time for the holidays—and you can keep it all year long, since it’s one gift that keeps on giving.
But don’t take our blog for it. Tune in to our free webinar on October 4th and hear why DDoS flood insurance is the best gift you can give your business this holiday season.