Distributed Denial of Service (DDoS) attacks are often quite unsophisticated, brute force attempts to disable a website or network by barraging it with traffic, but the damge they can do to victims can be considerable.
To date, police have generally considered DDoS attacks to be a 'low level' crime, but now Mike Hulett, head of operations at the National Crime Agency's Cybercrime Unit, has stated that organisations that face these kinds of crimes will be a top priority for law enforcement.
'This is something that I wouldn't say law enforcement has ignored over the years, but it's been seen as relatively low level,' said Hulett, speaking at the Security & Counter Terror Expo in London. So far, he said, dealing with these crimes has been 'a bit like swatting a fly': 'it's an annoyance thing: 'We don't really want to launch an investigation against it, do we?'
But the police's approach is changing. While Hulett described DDoS attacks as still 'lower level' crime, he said it's vital that police get a better grip on them.
'Something different is happening with DDoS,' Hulett said. 'Normally it's something big business can deal with and mitigate as a matter of course. We've seen some recent examples of companies – which I won't name – which can't mitigate against these DDoS attacks.'
'So what's happening out there? What's changing? What's different about DDoS now to what it was before?'
DDoS attacks are nothing new: as far back as 1998, UK tech publisher CMP Media was brought to a standstill for two days after a DDoS attack by a disgruntled magazine subcriber barraged its email servers and fax machines. But the culprit got off lightly, and it was only in 2006 that these kinds of attacks became a criminal matter.
The explosion of inexpensive tools means that almost anyone can now carry out a DDoS attack. Recent years have seen a spate of disruptive headline-grabbing attacks, such as the one against Carphone Warehouse in July 2015 and later TalkTalk, which both functioned as 'distraction' attacks to keep IT staff occupied while thieves snatched significant amounts of sensitive customer data.
'This is how DDoS is changing,' said Hulett. 'It's not just the annoyance factor – 'look at me, I'm so clever, I've taken down this website', for example – sometimes it's actually a mask for something more sinister going one elsewhere. It's something we're seeing increasingly used as a distraction technique.'
The repurcussions of the TalkTalk attack are still ongoing six months later – today a sixth culprit was arrested in connection with the attacks, some of whom are as young as 15. The hack saw 100,000 customers leave the network, a loss of over than £60 million and immeasurable reputational damage to the brand.
As well as being used as distraction attacks, Hulett said that DDoS attacks must not be ignored because they can be 'gateway' for young people to get involved in other forms of malicious hacking and more serious organised crime, thanks to the ease with which teenagers can carry them out.
'Having dealt with the National High Tech Crime Unit in the past, now known as the Serious Organised Crime Agency, it was clear that the government was trying its best with limited resources to get the skills and knowledge to begin the cyber fight,' said Alex Cruz Farmer, VP of cloud at DDoS mitigation specialist NSFOCUS IB.
'Like Mr. Hulett commented, the problem is very real, has to be taken seriously and it has not come soon enough. In my years of experience in carrier and service provider markets, where margins are low, and customer demands are high, DDoS attacks have significant affects on not just them but, in most cases, their entire customer base, creating a domino affect.'
'What is often overlooked is the real cost of DDoS mitigation. To the government, the cost may seem an insignificant amount, but to a small £2-5m revenue business, it’s huge.'