Distributed denial of service (DDoS) attacks are designed to overwhelm a target network with resource requests, leaving the victim unable to handle legitimate requests. These can come in many forms, but typically we see traffic floods that consume bandwidth and not application resources.

DDoS attacks are not new, and have grown in intensity and popularity in the past ten years with the rise of botnets. Botnets provide the needed “firepower” behind a DDoS attack - bandwidth and computers - as well as the infrastructure to manage such an attack. Most bot code bases provide some form of DDoS capabilities, and in measurements in 2006, it was found that approximately half of all of the botnets monitored launched at least one DDoS attack. Most of these attacks were against small, local targets with no widespread impact. Traditional botnets are not the only source of these attacks, as we increasingly see specialized kits being deployed to launch and control DDoS attacks.

MEASURING DDoS ATTACKS

DDoS attacks are measured in two primary ways. The first is through the ATLAS system, which ties together global DDoS statistics measured from backbone traffic. The second is through active botnet monitoring, watching commands passed to the bots and distilling the attack information from that. Both are needed to get a broader picture of DDoS activity, although neither one is complete. It is also known, from measurements, that they are a disjointed set of attacks, indicating that we are unable to track back the commands of all DDoS attacks we observe on the Internet.       

Assessing the intent behind a DDoS attack is usually speculative, and is often based on the victim’s external profile. DDoS motivations are often related to retaliation or anger against a victim’s actions, and sometimes include extortion or punitive attacks. In the past few years, tens of thousands of these sorts of attacks have been tracked across the globe, and no network is immune from the “business end” of such an event. Spammers or online phishing teams may carry out attacks against researchers as an effort to stop their work, but most frequently, these attacks are small attacks against broadband subscribers or small e-commerce sites. Larger, more sophisticated attacks involve extortion of some kind against a major online business. Some attacks have caused businesses to become bankrupt through the lost ability to handle customers or bandwidth charges.

HUGE IMPACTS

Personal research over the years has shown a steady increase in the severity of DDoS attacks. Based on surveys with tier-1 ISP operators, the largest observed DDoS attacks top over 40 Gbps. For reference, 40 Gbps is larger than the cores of all but the largest ISPs in the world, so any such attack would have massive impacts on the Internet backbone.

A subset of DDoS attacks appear to be politically motivated, where the victim is thought to have done some wrong against someone on the side of the attacker. In one of the most high profile events recently, the country of Estonia was hit with several weeks’ worth of DDoS attacks against their government and national infrastructure. These attacks coincided with street protests over Russia’s history in Estonia. Many people assumed that Russian authorities orchestrated the attacks, although we never found any evidence to support that claim. Botnets, as well as manual coordination, were behind most of the DDoS attacks, with Russian-language forums used in part of the organization behind such attacks. These attacks started again in the winter of 2007 against an Estonian newspaper, DELFI, during their coverage of the trials of several ethnic Russians charged with street-level crimes during the protests earlier in the year.

Other politically motivated DDoS attacks include those against the Russian politician Gary Kasparov and his political party during the run up to the winter 2008 elections. In this case, the Web site was disabled for a short period of time, enough to damage its use to their audience. This did not appear to cause any significant damage to the political party itself, however, meaning that these attacks were more like riots and protests than looting and pillaging.

As international tensions rise and botnets remain increasingly popular, this specific attack motivation is expected to continue. These are not state-sponsored activities behind some of these DDoS attacks, but instead a general population who are intent on taking their frustrations out on the Internet. It will be interesting to see how geopolitical events unfold online in the coming months and years.