The past year saw an unprecedented increase in the number and size of Distributed Denial of Service (DDoS) attacks, where attackers send so much fake traffic at a server that legitimate requests cannot get through. There is no reason to think that 2017 will be any different. While DDoS has been a favorite attack strategy for some time, the advent of the Internet of Things has enabled hackers to take their attacks to a whole new level. The attack against DNS provider Dyn in October, for example, was likely the largest attack ever, estimated at 1.2 terabits per second in malicious traffic.
Because Sungard Availability Services (Sungard AS) provides production and disaster recovery network services for over 7,000 clients, we are in the position to see a wide array of DDoS attacks, day in and day out. Most customers don’t even know they are attacked, as we recognize an attack immediately and take steps to counteract it.
In the U.S., Sungard AS sees between 1,500 and 2,000 event tickets per month for DDoS attacks. These attacks can range from a single packet to multi-gigabit attacks, and one of the largest we’ve seen was a little over a hundred gigabits per second.
Our experience in handling DDoS attacks points up some interesting quirks that aren’t generally known about these attacks:
Most DDoS Attacks Come from Europe, not Asia. While attacks come from everywhere in the world, the majority of the attacks we see originate in Europe, particularly in Eastern Europe. Some companies may focus on the threats from Asia and even block certain nations, that won’t stop these attacks. Many of these attacks are related to ransom demands and are likely sourcing from organized crime groups in Eastern Europe. Effective mitigation must be geo-agnostic and handle what has become a truly global threat.
Non-profit organizations are the biggest targets for DDoS attacks. While financial service companies are always big targets for cybercrime, and healthcare companies have lately experienced a rash of ransomware and identity theft attacks, the customers that we see attacked most often by DDoS attempts are non-profits. These attacks are generally politically motivated (or hacktivism). The lesson here is that anyone and everyone can be targeted. Your mitigation strategy should assume you will be targeted eventually. The thinking that “I’m not a likely target” is no longer valid.
An immediate response can make a difference. DDoS attacks are often used as smoke screens for other kinds of attacks. A fast response that neutralizes the attack can be an effective deterrent to a secondary attack. An attacker is going to make sure that their DDoS attack was effective before they start executing any other secondary plans. If the attack doesn’t work, they will quickly move on to another target.
There are simple things you can do to reduce your risk for a DDoS attack. People often overlook some of the most basic things, such as confirming the actual source of an IP address. One of the main ways attackers use to amplify their attack is by pretending to be a reply in a response to your own systems. It’s a simple test to determine if it is a real reply to one of your own messages. If your traffic didn’t go out, then you shouldn’t be getting a reply in. If you are detecting such behavior properly at your firewall, then that protects your application and database servers from having to deal with fake traffic, reducing the potential impact of a DDoS attack.