What is a DoS attack? What is a DDoS attack? What’s the

difference? How are they created? What are their strengths and

weaknesses? Before discussing any survival techniques, you must

first understand from what you are trying to survive.

To provide a figurative example of a DoS attack, imagine yourself

walking into a bank that only has a single teller window open. Just as

you are about to approach the teller, another person rushes into the

bank and cuts in front of you. This person begins making small talk

with the teller, and has no intention of performing any bank-related

transactions. As a legitimate user of the bank, you are left unable

to deposit your check, and are forced to wait until the “malicious”

user has finished his or her conversation. Just as this malicious user

leaves, another person rushes into the bank, again cutting to the front

of the line ahead of you and forcing you to keep waiting. This process

can continue for minutes, hours, even days, preventing you or any of

the other legitimate users who lined up behind you from performing

bank transactions.





During DoS attacks, attackers bombard their target with a massive

amount of requests or data – exhausting its network or computing

resources and preventing legitimate users from having access. More

simply, a DoS attack is when an attacker uses a single machine’s

resources to exhaust those of another machine, in order to prevent

it from functioning normally. Large web servers are robust enough to

withstand a basic DoS attack from a single machine without suffering

performance loss (imagine if the bank in the above example had many

teller windows open for you to use to avoid waiting for the busy one).

However, attackers will often carry out DDoS attacks, which employ

multiple machines for increased effectiveness, in effect, by trying to

tie up all of the tellers at all of the open windows. In that scenario, it

can often be harder to detect and block attackers manually, so special

defenses are necessary to detect and defend against such large-scale

attacks. Additionally, attackers almost never legitimately control

their attacking machines; rather, they infect thousands of computers

spread across the world with specialized malware in order to gain

6unauthorized access to such machines. A collection of hundreds or

thousands of compromised machines acting as an army under the

control of one attacker is called a “botnet”, and oftentimes the actual

owners of machines that are part of a botnet are unaware that their

computers have been compromised and are being used to launch

DDoS attacks.





Amassing a Botnet

In order for attackers to create large botnets of computers under

their control (referred to colloquially as zombies), they have two

options: the more common option of using specialized malware to

infect the machines of users who are unaware that their machines

are compromised, or the relatively newer option of amassing a large

number of volunteers willing to use DoS programs in unison.

In the former scenario (by far the most common), attackers will

develop or purchase from various underground cyber crime forums

specialized malware, which they spread to as many vulnerable

computers as possible. Any users tricked into running such malware

will often disable antivirus functionality on their computer, and install

a “backdoor”, or access point, for attackers. Infected computers

begin accepting communications from “command and control” (C&C)

servers, centralized machines that are able to send commands to

botnet machines, usually by means of Internet Relay Chat (IRC), a

communication protocol designed for chat rooms. Anytime attackers

want to launch a DDoS attack, they can send messages to their

botnet’s C&C servers with instructions to perform an attack on a

particular target, and any infected machines communicating with the

contacted C&C server will comply by launching a coordinated attack.

When law enforcement officials attempt to dismantle a botnet, it

is often necessary to locate and disable C&C servers, as doing so

prevents most botnets from remaining operational. One particular

botnet that was dismantled in 2010, called “Mariposa” (Spanish

for “butterfly”), was found to contain nearly 15.5 million unique IP

addresses around the world with many associated command and

control servers. 2 More recent and advanced botnet software such as

TDL-4, however, has implemented special inter-bot communication

abilities over public peer-to-peer networks to help circumvent efforts to

dismantle botnets solely through the disabling of C&C servers.









In the case in which many computers are voluntarily acting in

unison, hackers sponsoring an attack will publish its details via a

social networking site or an IRC channel, including a date and time,

a target IP or URL, and instructions on which of the available attack

tools to use. Some attack campaigns following this model have

succeeded in recruiting many supporters. The main drawback for such

voluntary, coordinated DDoS attacks, however, is that the majority

of the attack tools used does not mask their users’ identities. One

such tool, Low Orbit Ion Cannon (LOIC), was notorious for this – many

LOIC users failing to use external means to hide their IP address

have been located and arrested by the FBI and other law enforcement

organizations around the world for participating in coordinated

voluntary attacks. News of these recent arrests may deter some new

users from opting to participate in such voluntary, coordinated attacks.





Launching an Attack

With the exception of amassing a botnet, launching a DDoS attack

is not a particularly difficult task to carry out, even for a non-technical

individual. Users do not need to create their own botnets in order

to launch large-scale attacks, as various dedicated pay-for-hire DDoS

services are available for anyone to use. Anyone using such a service

can launch a powerful DDoS attack on a target of their choice for

anywhere from $5 to $200 per hour, depending on the attack size and

duration.

8Business Impact

Various surveys on DDoS attacks have highlighted interesting

facts on the impact of DDoS on targeted companies. According to

a Neustar survey, 70% of the surveyed companies were victims of a

DDoS attack that caused some level of damage. 3 While DDoS attacks

may have had more industry-specific targets in the past, such attacks

target all sectors today – financial services, governments, online

retailers, and online gaming, among others. The following diagram

taken from Radware’s 2011 Global Application and Network Security

Report 4 illustrates this trend.









The business impact of a DDoS attack is substantial, and can affect

a victim over a period of time depending on the extent of the attack.

According to both the Neustar and Radware reports, the DDoS attacks

perpetrated in 2011 lasted anywhere from several hours to several

days, with an average duration of about 24 hours. The effects from

a DDoS attack can vary depending on the sector a target company

belongs to and the volume of its online business. Often, these effects

are both qualitative and quantitative, and can involve financial losses,

reputational damage, and legal repercussions.

Financial Losses

The cost to an organization when its Website experiences downtime

varies significantly depending upon the sector to which that particular

3 Neustar Insight – DDoS Survey Q1 2012

4 2011 Global Application and Network Security Report

9organization belongs. The Neustar survey found that organizations

depending mainly or exclusively on the Internet for their business

(notably online retail or gaming sites) estimated an average daily

revenue loss of $2,000,000 – nearly $100,000 per hour – in the case

of downtime, while other sectors, such as financial services, report a

smaller yet significant average loss of $10,000 per hour in the event

of downtime.





This calculation takes into account a few different elements: the

cost of the attack itself, revenue loss from customers’ and potential

customers’ inability to access the Website, time spent answering

customer support calls, and possible additional financial penalties.

Most serious attackers carefully plan their attacks, striking during

critical periods for their target Website, for example during the holiday

shopping season for an online retailer.





The wave of DDoS attacks that targeted major Websites such as

Yahoo and Amazon in 2000 was estimated cumulatively to have

cost over $1.2 billion in damages. 5 The total cost of the more

recent attacks on Sony’s Websites remains unclear and is difficult to

estimate. Over $170M has been spent by Sony for cleanup related

to the DDoS attack and loss of data, but some analysts estimate an

ultimate cost of hundreds of dollars to Sony per each one of the 77

million compromised user accounts – amounting to billions of dollars

in damages. 6 Regardless of analyst estimates, one thing is clear:

the cost incurred by an organization that is not adequately protected

against DDoS attacks can be exorbitantly high.

Customer Attrition

The most significant business impact outlined by surveyed companies

is that related to its customers. A customer who attempts to access

an organization’s Website but is unable to do so because of downtime

cannot buy anything, access information, or generally use any services.

If he or she is unsatisfied, complains, requests for financial restitution,

or even increased business for competitors may result.





According to the American Express 2011 Global Customer Service

Barometer, consumers spend more money wherever they have a

Google engineers have discovered t the average online customer

is not willing to wait an extra 400 milliseconds for a page to load

– “literally the blink of an eye” as per a New York Times article8.

Online customers require quick access to information, and according

to Microsoft, would visit a Website less often if it is slower than that

of its competitors by more than 250 milliseconds. 8 Consequently,

a DDoS attack that prevents the targeted company’s Website from

providing adequate service to its users can result in customer

dissatisfaction, angry support calls, and even customer attrition.

Reputation Loss





Businesses want to make headlines by showing off merits and

achievements. Management teams dislike being forced to admit

vulnerabilities in the media. When it becomes publicly known that a

company has been a victim of a cyber attack that has compromised

its customers and their data, the ensuing bad publicity can have

devastating effects on both reputation and future sales. Any company

falling prey to hackers becomes an example of “what not to do”, and

the ensuing fallout often involves replacing the IT team that allowed

the disruption or break, corporate rebranding, and expensive public

relations to regain the trust of the public.

Legal Pursuits





Customers affected by the unavailability of online services who can

prove that they suffered damages may attempt to pursue financial

restitution by means of filing a lawsuit, often arguing that the company

did not take enough precaution against the possibility of such an

attack. In one example, a major stock exchange, hit by a DDoS attack

in 2011, was forced to suspend trading and pay penalties to trading

firms to compensate for their inability to provide normal service.

Conclusion

The ability of an organization to protect itself against DoS and

DDoS attacks is essential for its success. Without proper protection

mechanisms, an organization targeted by a DoS or DDoS attack is

likely to experience financial loss, reputational damage, and legal

expense – all of which are likely to permanently affect its future.