This Dark Reading piece restates the generally accepted wisdom that distributed denial of service (DDoS) attacks are becoming less numerous -- but at the same time are growing far more nuanced and tactical.
In many cases, the writer says, DDoS attacks are being waged in conjunction with botnets and carry viruses and other malware. Make no mistake, however: There still are plenty of attacks to go around. Research by Arbor Networks says there are, on average, 1,200 DDOS attacks each day in the 38 ISP networks tracked. At least one of these consists of at least 1 million packets per second.
The heart of the piece is a three-step guide to minimizing damage and stopping attacks.
The first phase occurs during the initial five minutes of the attack. It is important to have tools in place to filter out bad traffic and minimize disruption to end users. At this early point, the ISP may be able to trace the "direct attackers," who usually are swarms of bot-controlled PCs. Identifying them isn't a priority, however, because they are slave machines being used by the real bad guys, who remain well hidden.
The next step is the first hour of the attack. An ISP should trace the "command and control infrastructure" driving the attack in preparation to destroy it. However, a Neustar executive comments that amassing such intelligence is getting increasingly difficult as attacker sophistication grows.
The third stage is to call in back up in the form of law enforcement and security researchers. The writer points out that it is important to cooperate with these folks, but attention must be paid to non-disclosure agreements (NDAs) and other privacy issues.
This useful blog positing at Hacking.co.in starts out with a generic description of DDoS attacks, but quickly gets into a deeper discussion of the variations used by hackers.
The industry is reacting to the changing tactics used by hackers. Last week, BT introduced a system that seeks to control DDoS attacks. The managed service, which uses Arbor's threat management system (TMS), relies on profiles of the traffic patterns of each customer. This enables traffic surges and unusual patterns to be analyzed in real time. When an attack occurs, the traffic is sent through a mitigation device that filters out the DDoS traffic while passing through the legitimate traffic.
The difficulty of dealing with these issues was illustrated last week. The Department of Homeland Security suffered a self-inflicted "mini DDoS" attack when a request for a change from a reader of the DHS Open Source Intelligence Report was sent to everyone on the list. eWeek reports that the the situation escalated during the next hour as messages bounced back and forth involving the entire list. The messages -- from a political ad to local weather reports to repeated requests for people to stop responding -- resulted in about 2.2 million messages bombarding subscribers' inboxes.