For the individuals and gangs of criminals that first saw the potential in using distributed denial of service attacks (DDoS) as a tool for extortion, some obvious targets stood out – Internet gambling and online payment sites

For one, those businesses dealt with huge amounts of money; secondly, they were entirely reliant on Internet connectivity. Having their web presence shut down by the flood of spurious access attempts that accompanies a DDoS attack does not just lose them business, it can prove fatal.

Just ask Peter Pedersen, the chief technology officer at Blue Square, the London-based online bookmaker owned by the gaming and entertainment giant, Rank Group. His organisation was the target of numerous DDoS attacks in 2004 as Russian-based groups swamped Blue Square's web site with bogus traffic

"We need to have an open front door 24×7, to allow customers to place a bet even if it is four in the morning," he says. "We cannot afford to have users' access to our website blocked by cyber-criminals."

The attacks that temporarily closed Blue Square were highly sophisticated, Pedersen reports, and were followed by a demand for ‘protection money'. The company refused to pay up and got together with others in the online betting industry – many of whom were also under attack – to form a united front against the extortion.

Protective measures

DDoS prevention: To prevent a DDoS attack, take these five steps:

• Insist that your Internet service provider filters
  
• Arrange to have scalable bandwidth
• ‘Harden' and protect your domain name servers
• Ensure availability through redundancy
• Invest in DDoS defences

Gateway protection:

To reduce the threat of malware entering the network, invest in these technologies that are deployed at the gateway:

• Gateway spam filtering
• Gateway antivirus
• Content/URL filtering
• Network access control (that is, scan and block) technologies that can quarantine compromised hosts

PC protection:

PC security requires more than keeping standalone antivirus products up-to-date because emerging cyber attacks bypass traditional antivirus solutions. PCs must be kept up-to-date with security patches. To protect against the majority of software threats – including malware that turns a host into a bot – corporate PCs should run these technologies:

• Antivirus
• Anti-spyware
• Personal firewalls or host-based intrusion prevention systems

But given the impact of such attacks, and the normally low demands of attackers, the option of paying out looked the best business decision to some – at least initially. At least one online betting group gave in and paid the five-figure sum demanded. The attacks stopped, but not for long; the company was soon faced with further DDoS attacks and further demands. =

In an earlier incident, in 2002, the same thing had happened to Costa Rican-based gambling site BetCris.com. "When it was a low-level thing, I paid $500 one time," says Mickey Richardson, general manager of BetCris.com. But never again. "Now [we understand] the going rate is $60,000 to $100,000 [for the criminals to halt a DDoS shut down]."

BetCris and Blue Square are the exceptions. The vast majority of DDoS victims are reluctant to speak out about the threat, fearful of undermining consumer confidence in their online brand.

But there have been some cases that are a matter of public record. In September 2004, US online payment-processing site Authorize.net received a hefty demand from DDoS initiators. And when Roy Banks, its president, refused to pay, the company had to deal with a torrent of website traffic "unprecedented in its severity and tenacity" that overwhelmed its service despite the company's use of various DDoS hardware and software counter-measures.

Similarly, in the UK in October 2004, the Royal Bank of Scotland's Internet payment division, WorldPay, was hit by an attack that closed down its ability to process its affiliates' transactions – although it is unclear whether the prolonged attack was linked to an extortion racket.

These are not isolated incidents, says Paul Lawrence, European VP at network protection vendor Top Layer. "You only have to look at the pattern of attacks through 2004 to realise that the extortionists kept trying," he says. "That strongly suggests that some companies were paying up."

While reports of threats and attacks against gambling sites appear to have peaked in 2004, DDoS activity remains unabated. According to estimates made by University of California researchers, there are around 2,000 DDoS attacks launched each week. The criminals, it seems, are on the prowl for new victims. "We are definitely seeing a rise in DDoS attacks across the board as the criminals understand that any company that does all or even part of its business online is vulnerable," says detective superintendent Mick Deats, deputy head of the National Hi-Tech Crime Unit.

And as many of the online gambling sites have beefed up their defence capabilities, the extortionists armed with DDoS launch sites have moved on to target other vulnerable organisations. However, as Deats notes, "not all DDoS attacks are accompanied by an extortion demand. Attacks are being launched on companies by disgruntled ex-employees." Political and techno-activists also commonly launch attacks, he adds.

While most businesses may take comfort from knowing that a DDoS attack is unlikely to be close them down permanently, they cannot afford to be complacent, says Kevin Regan, security consultant at networking giant Cisco. "You need to be making risk assessments now. You need to know what the likely effect is, what the impact to your brand will be. And even if the answer is that the cost of protection outweighs the risk, you still need to have quantified that risk."

Brand perception is often overlooked when it comes to examining security issues, but it is likely to become increasingly important, says Richard Hackworth, head of group IT security at financial services giant HSBC. In the 2004 survey of international brand value by marketing consultancy Interbrand, HSBC's brand was reckoned to be worth $9 billion; the top ranked company, Coca Cola, had an identity valued at $67 billion. "This is a real business issue, and the quality of your IT, your online presence, will affect your brand," says Hackworth.

And it is not just criminal gangs that can wreak havoc through DDoS attacks. Disgruntled former employees, political activists and challenged teenagers are all potential instigators. "Financial gain isn't the only reason for launching DDoS attacks. That makes it difficult to predict who will be affected," says Top Layer's Lawrence.

DDoS Attack patterns

The mechanisms of launching a DDoS attack are well understood. In essence a so-called botnet – an army of compromised network-attached computers, known as zombies – is recruited and then used to fire off massive amounts of traffic at an IP address until the server at the other end falls over. While a single DDoS attack may not overwhelm a site with high bandwidth Internet access, thousands of these attacks coming from all over the globe will have the desired effect – hence the notion of distributed denial of service.=

But what is worrying security analysts is the speed at which attacks can now be instigated. According to some, a large percentage of all viruses now sent out are installing Trojans; these infect the target computer and enslave it to the botnet. These infected computers can then be used to log keystrokes, spying on users, picking up potentially sensitive data; they can send spam; and finally, when they have served their initial purpose, they can be used to launch DDoS attacks. This is usually the end of the line for an enslaved computer as the DDoS attack can be traced back to the infected machine, at which point the Trojan is removed.

However, it may only take 10 machines in a botnet of potentially thousands of compromised computers to launch a DDoS attack. Like the mythical Hydra, once one head has been lopped off, another quickly grows back. "Using simple port scanning tools it is possible to infect several hundred machines within two to three hours," says David Harcourt, head of network security at BT Wholesale.

As broadband becomes more pervasive, this opens up a whole new world of access points for the attackers – fast connections and end users that lack enterprise-level security protection provide a bumper harvest for the attackers. According to security vendor Symantec, in 2004, an average of 30,000 zombies were created each day.

And this is not just a consumer problem – Trojans within the enterprise can consume huge amounts of corporate bandwidth and once a Trojan is sitting within a network it is often difficult to detect.

Protection to such attacks is not simple, but approach is to monitor traffic leaving the corporate firewall. It may be possible to identify suspicious activity – traffic regularly sent to specific, unknown addresses. Well managed security patching can also minimise exposure to such exploits. However, the proliferation of mobile devices and the gradual blurring of corporate and home-use devices inevitably mean that the risk for infection is constant.

Combatting DDoS Attacks

As the threat from DDoS attacks has evolved, numerous different strategies for tackling the problem have been tried.

Traffic filtering at the router level can use access control lists to filter out malicious traffic; firewalls can be configured to only accept specific requests from approved external sources; and intrusion detection systems can provide application-layer attack detection capabilities.

Further strategies include altering the IP addresses of the attacked system and updating the domain name server (DNS), as well as simply throwing more bandwidth at the problem or using services such as Akamai that use large data pipes and distributed networks. But the problem with these approaches is that they are all reactive, meaning potentially important traffic may be lost, and they place a financial burden on businesses, says Miles Clement, project manager at bluechip IT user group the Information Security Forum. "There's an argument to say that dealing with DDoS should be done by the service providers. The attack traffic is being delivered via the service provider's network. If it can be turned off at that point, the end users need never notice they have been under threat," he says.

According to Clement those launching the DDoS attacks are becoming more sophisticated. There is evidence that perpetrators are launching attacks, then waiting to analyse the victim's response and tweaking the attack to respond.

There are signs that service providers are beginning to accept the challenge. The Fingerprint Service Alliance, which includes members such as Cisco, BT and MCI, have brokered an agreement to share cyber attack profiles – the fingerprints – helping to stop DDoS attacks more quickly and identify the source. Using technology from DDoS prevention specialist Arbor Networks, a service provider which identifies an attack automatically alerts others within the alliance to the new fingerprint, so compromised hosts can be identified and removed from the network.

ISPs, such as Energis and Pipex, are already offering DDoS protection. By monitoring traffic across their networks they can divert illegitimate packages intended to swamp customers. But anti-DDoS services can be expensive: analyst house Gartner says $12,000 a month is not uncommon. It advises that a multi-layered approach to security is best (see box).

This advice is echoed by BT's Harcourt: "There are several ways to mitigate DDoS, and, as a service provider, we use numerous different types of technology. The point of the Fingerprint Sharing Alliance is to speed up response times and to co-operate – none of us want to be carrying this traffic." But even as users look to service providers to mitigate attacks, they must see such efforts as only part of a co-ordinated security strategy to combat DDoS, he adds.