They’re like what veteran hackers call “script kiddies,” people who have the desire to cause mayhem on your network, but lack the means.
A new generation of DDoS attackers are going through basic training in DDoS attacks, and using cookie-cutter tools to hit their preferred targets. Experienced DDoS attackers on underground forums are happy to provide them with the right education and supplies for a price.
But others work as nonprofits, operating in plain sight. A quick search of YouTube will yield numerous how-to DDoS videos and links to malicious software for download.
The motivation of those providing the information, tools and access to botnets is obvious: they’re either in it for the money, some sort of ideological cause, or just doing it for kicks. But is the demand for DDoS “education” driving the supply, or vice versa?
Carlos Morales, VP of global sales engineering and operations at Arbor Networks, says it’s the experienced hackers who are largely responsible for the spread of information on how to conduct DDoS attacks. The sheer amount of knowledge being put out there is reaching more and more would-be hackers, some of whom may have never even considered what a DDoS attack could accomplish.
With scores of amateurs getting into the DDoS game, it follows that businesses are at an increased risk, even if these attackers aren’t quite as sophisticated as the pros. This is especially true for companies that haven’t been historically targeted and aren’t on high alert, he says.
Financial institutions, for example, practically assume they’ll be under constant siege, and have the resources in place to absorb multiple DDoS attempts a day. But in other sectors, there isn’t as much awareness of the risk, says Morales. For example, a budding DDoS attacker might hold a grudge against a retail store and decide to knock its Web site off-line.
“Their motivations are entirely different than maybe someone who is financially motivated or motivated by some sort of criminal element,” Morales says. “They may be mad at the local pet store downtown because they didn’t have the cockatoo they wanted—it could be anything.”
And the recent emergence of DDoS tips and tricks from underground forums into the open Internet is compounding the problem, he adds.
“I think the fact that it’s so brazenly out there gives people the warm and fuzzy feeling that if they go ahead and do something like this, that they’re not going to actually get prosecuted in any way. It sort of validates the idea that DDoS is not so illegal.”
A DDoS attack itself is indeed illegal, but providing information on how to carry one out may not be. Without an international body governing “offensive content” on the Internet (hardly something that will be established anytime soon) there’s practically no way to prevent it from getting out there, says Morales. This is especially true because on a scale of “offensiveness,” DDoS tutorials aren’t terribly high on the list.
Efforts to get this kind of content off the Internet entirely may be futile, but businesses can educate themselves on potential threats through research and by gathering field intelligence, whether by themselves or via a service provider, he says. Arbor Networks, for example, will try to identify the botnets and tools used in particular DDoS attacks, even if they can’t identify the individuals behind them. “Certainly, making yourself smart, whether you outsource it or have it internally, is extremely important,” he says.
Enterprises of all sizes are gradually learning why they need to devote more resources to DDoS protection, realizing that IT security is a necessary cost of doing business. But as I wrote recently, smaller firms often don’t have the money to spend on DDoS protection, let alone the time to gather intelligence on different emerging threats. It’s a cruel irony that as small-time hackers gain more power, small businesses become more vulnerable.
But things are changing. In small brick-and-mortar businesses, motion sensors, surveillance cameras and silent alarms were once too costly, but are now commonplace. In a similar vein, DDoS-protected clouds are slowly becoming affordable enough to protect a pet store’s Web business from a disgruntled customer angry about that cockatoo.
Businesses of all sizes have historically been reluctant to pay for network security, sometimes only doing so when worst finally happens. Now that it’s amateur hour for DDoS attackers, it’s more important than ever to make that investment.
Learn more about how to proactively protect your data by downloading ‘Planning Security Budgets: Quantify the Financial Risk of DDoS‘ and exploring Allstream’s Managed Security Services.
Image courtesy of Salvatore Vuono at FreeDigitalPhotos.net