With a processing workload of five million transactions a day – 300 bets a second – Betfair, an online gaming company, cannot afford any significant downtime. And ruthless high-tech extortionists know that.
Over the past three years, it has been a prime target for such criminals, as they have launched increasingly sophisticated distributed denial of service (DDoS) attacks and then presented Betfair with demands for cash in exchange for a cessation of the hostilities. But the company prides itself in being able to stay ahead of the attackers – and, of course, of having never paid.
According to head of security, Adrian Asher, its record for uptime – even when under attack – stands above that of any other gaming company. “While others have been taken down for hours and suffered intermittent problems for days, Betfair has not.”
There is no ‘silver bullet’ to that ability to protect its reputation. Rather, says Asher, the key is a deep understanding of the nature of the attacks and the evasion strategies that can be used.
DDoS attacks vary in approach but have the common thread of trying to overload the victim’s network or computation resources with vast quantities of bogus traffic. Ironically, the proof of concept for those targeting the betting industry, came from the industry itself. “All of the DDoS in the gaming industry was started by one gaming player in Costa Rica paying a ‘techie’ to attack one of their competitors,” says Asher.
But DDoS has grown in sophistication in recent years. Until the beginning of 2005, Betfair was being subjected to what Asher calls network-centric attacks. Those were actually relatively easy to defend against – at least that is how it looks with the benefits of hindsight. “If that was the only kind of attack we were seeing today, we would welcome them – in as much as anyone can ever welcome an attack against your systems,” he says.
They flooded the network or sent large packets, trying to exploit issues within the IP structure. “They were quantity rather than quality based,” he says. And ISPs worked out ways to prevent that flood from arriving at customers’ sites.
“It has become very hard to differentiate between the real requests of customers and those malicious, but nonetheless valid, requests from these compromised PCs. That is when the challenge has started to get interesting.”
Adrian Asher, head of security, Betfair
However, during 2005, the situation became a lot more complex. “We began to see bot networks,” he says. Such a network is established when innocent users become unwitting accomplices by downloading a trojan or virus. The hundreds or even thousands of computers that are compromised connect to a particular web site and repeatedly perform a particular set of instructions: fetch this page or execute a request against a specific DNS server.
Worse, the creation of such bots has become relatively easy. “The initial bot networks were very hard to design and implement. But the availability of toolkits – UrXBot, SDBot, AgoBot and others – present a very big challenge to defend against,” says Asher.
“It has become very hard to differentiate between the real requests of customers and those malicious, but nonetheless valid, requests from these compromised PCs. That is when the challenge has started to get interesting,” says Asher. “Attackers out there are beginning to understand what it is that will generate load on systems and are beginning to target against those.”
While it has been relatively easy to scale resources horizontally in order to deal with attacks that involved a request for an image, for example, an action that requires a database access is much more difficult to scale around.
Another vector is the DNS and upstream attack. The classic example are islands such as Malta, where there is a limited connection going into the island. "To take off a person on the island of Malta, you don’t have to attack that person, you could attack one of the 10 or so routers that go to that island, and ultimately you could take the whole island offline," says Asher. “You may take one or two people [offline] that you did not intend to, but for the sort of people we are talking about that is an added benefit.”
There are some easy fixes. Specialist managed service companies – Prolexic, UltraDNS, Cable & Wireless – can help. And large users can work with their ISPs to, for instance, switch off traffic from a particular domain, such as AOL or BT.
But Asher warns that the global nature of the Internet means that people can route through other connections to get into a business. “But you can be quite clever about the way you’re routing, so that you are advertising a preference for certain routes that you’re happy to bring in potentially dangerous traffic through, versus your primary route through which you are going to bring in your trusted or known customers.”
This can be a high-maintenance approach. “That is not the kind of solution you set up and walk away from,” says Asher. “If you were having an attack you might be changing hourly.”
Another prevention mechanism in which Asher sees considerable potential is for companies to segregate their applications, working out which have a high impact on the underlying database or classifying applications based on their security characteristics.
But the attacks are just getting smarter. “We are expecting to see more and more hybrid attacks: perhaps a denial of service followed by phishing attack. Someone is going to take down a bank site, then send a phishing email [to its customers] saying, ‘We appear to be having connectivity problems, please connect via this alternative route.’ Customers are going to see the two – the collapse of the web service and then the email – relate them together and follow the link – even though you have advised them about phishing.”
On denial of service attacks:
- First the secrecy, now the overload – Infosec conference analysis, May 2006
- Information Age's Security and Continuity Briefing Room