Mar 05 2014
I’m in the middle of writing the DDoS section of the 2013 State of the Internet Report, which is something that makes me spend a lot of time thinking about how DDoS is affecting the Internet (Wouldn’t be all that valuable if I didn’t put some thought into it, now would it?). Plus I just got back from RSA where I intereviewed DOSarrest’s Jag Bains and talked to our competitors at the show. Akamai finally closed the deal on Prolexic about three weeks ago, so my new co-workers are starting to get more involved and being more available. All of which means that there’s a ton of DDoS information available at my fingertips right now and the story it tells doesn’t look good. From what I’m seeing, things are only going to get worse as 2014 progresses.
This Reuters story captures the majority of my concerns with DDoS. As a tool, it’s becoming cheaper and easier to use almost daily. The recent NTP reflection attacks show that the sheer volume of traffic is becoming a major issue. And even if volumetric attacks weren’t growing, the attack surface for application layer attacks grows daily, since more applications come on line every day and there’s no evidence anywhere I’ve ever looked that developers are becoming at securing them (yes, a small subset of developers are, but they’re the exception). Meetup.com is only the latest victim of a DDoS extortion scam, and while they didn’t pay, I’m sure there are plenty of other companies who’ve paid simply to make the problem go away without a fuss. After all, $300 is almost nothing compared to the cost of a sustained DDoS on your infrastructure, not to mention the reputational cost when you’re offline.
I’d hate to say anything like “2014 is the Year of DDoS!” I’ll leave that sort of hyperbole to the marketing departments, whether it’s mine or someone else’s. But we’ve seen a definite trend that the number of attacks are growing year over year at an alarming rate. And it’s not only the number of attacks that are growing, it’s the size of the volumetric attacks and the complexity of the application layer attacks. Sure, the majority of them are still relatively small and simple, but the outliers are getting better and better at attacking, Those of us building out infrastructure to defend against these attacks are also getting better, but the majority of companies still have little or no defense against such attacks and they’re not the sort of defenses you can put in quickly or easily without a lot of help.
I need to get back to other writing, but I am concerned about this trend. My data agrees with most of my competitors; DDoS is going to continue to be a growing problem. Yes, that’s good for business, but as a security professional, I don’t like to see trends like this. I think the biggest reason this will continue to grow is that it’s an incredibly difficult crime to track back to the source; law enforcement generally doesn’t have the time or skills needed to find the attackers and no business I know of has the authority or inclination to do the same. Which means the attackers can continue to DDoS with impunity. At least the one’s who’re smart enough to not attack directly from their own home network, that is.