Strategic Security Survey: Global Threat, Local Pain

(click image for larger view and for full slideshow)

The Operation Payback distributed denial of service (DDoS) attack is declining. Furthermore, the small scale and low sophistication of the attack has meant that almost any Internet service provider should have been able to block it.

Those findings come from Craig Labovitz, chief scientist at Arbor Networks, who on Tuesday detailed what Arbor is billing as the biggest-ever study of real DDoS attack data, comprising 5,000 confirmed attacks over the past year that affected 37 large carriers and content providers around the world.

Even at its peak, Operation Payback was "more of an annoyance than an imminent critical infrastructure threat," said Labovitz, who likened it not to "cyber war," as some have characterized it, but rather simple "cyber-vandalism." "While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted Web pages or lightly read blogs -- not the far more critical back-end infrastructure servicing commercial transactions."

As suggested by the Anonymous collective's recent shift to sending faxes to their target companies, "by the end of [last] week, Anonymous followers had mostly abandoned their attack plans as ineffective," he said.

Beyond Operation Payback, the Arbor study offers new insights into DDoS trends and attacks, gleaned from data that Arbor began measuring in its own products two years ago, as well as by collecting anonymous ATLAS statistics, which are available from about 75% of all Internet carriers.

For grading DDoS attacks, Arbor classifies each based on its scale and sophistication. "At the high end in 2010, we observed a number of DDoS attacks in the 50+ Gbps range," said Labovitz. These large, flooding attacks comprised 60% of all confirmed DDoS attacks in 2010, and are typically designed "to exceed the inbound aggregate bandwidth capacity of data centers and carrier backbone links" by overwhelming them with packets, he said.

Meanwhile on the low end, comprising 27% of attacks, "we encounter attacks focused not on denying bandwidth, but the back-end computation, database, and distributed storage resources of large Web services," he said. "For example, service or application level attacks may focus on a series of Web or API calls that force an expensive database transaction or calls to slow storage servers."

In other words, overwhelm servers, applications, SIP, HTTP or TCP state not with volume, but rather the right kinds of calls, and DDoS attacks can succeed through sophistication, rather than scale.

In this Dark Reading Tech Center report, we explain how your security and network teams can cooperate and use common tools to detect threats before your systems are compromised. Get it now (registration required).