More than one-fifth of UK firms experienced a disruptive distributed denial of service (DDoS) attack in 2012, a...
survey by communications and analysis firm Neustar has revealed.
The poll of 380 IT professionals shows that DDoS attacks are a threat to large and small organisations in all sectors, yet many organisations do not have adequate protection in place.
Key industries reported the highest levels of attack, with 53% of telecoms firms, 50% of e-commerce businesses, and 43% of retailers reporting DDoS attacks.
Last week, Malcolm Rifkind, MP, chairman of the cross-party Intelligence and Security Committee (ISC), said in the annual ISC report that many UK government departments have come under cyber attack in recent years, and this has often involved websites being disrupted by DDoS attacks.
The poll revealed that DDoS attacks typically throw organisations into crisis mode and can have a damaging effect on revenues.
Cost of DDoS attacks
While most DDoS attacks have a revenue risk of less than £1,000 per hour of downtime, the impact was more than £100,000 for 26% of financial sector organisations and 31% of telecoms firms.
To put that into perspective, 37% of DDoS attacks reported lasted for more than 24 hours, 24% lasted for more than three days, and 22% lasted for more than a week.
37% of DDoS attacks reported lasted for more than 24 hours, 24% lasted for more than three days, and 22% lasted for more than a week
“But the damage often goes further than financial loss, eroding brand value along with reputation and customer trust,” said Susan Warner, DDoS market manager at Neustar.
Companies also reported increases in operational costs related to DDoS attacks, with the greatest number reporting increases in the IT group (69%) followed by customer service (57%). Some 29% reported increased operational cost in risk management and 22% reported increased cost in the call centre.
Overall, companies reported that 40% of attacks involved up to five people, while 25% required more than six people.
A risk impact analysis that takes all these additional costs into account can be used to make the business case for investing in new people, technologies and processes to mitigate DDoS attacks, said Warner.
“The impact of a DDoS attack on call centre staff and risk management teams can last three to seven times as long as the attack itself,” she said.
DDoS protection not up to scratch
Despite the business risks of DDoS attacks, the survey found only a quarter of respondents said their organisations use purpose-built DDoS equipment and cloud-based services, while 20% of respondents admitted that their companies have no DDoS protection in place.
“There appears to be a high reliance on routers, switches and web application firewalls, which are not designed to withstand DDoS attacks,” said Warner.
It is likely that more than 20% have practically no protection from DDoS attacks, even though they think they are protected
Susan Warner, Neustar
For this reason, it is likely that more than 20% have practically no protection from DDoS attacks, even though they think they are protected, she told Computer Weekly.
Warner also believes many firms do not think they will be targeted by DDoS attacks. “While the feeling is that these are random and that organisations have no control, it is difficult to get budget,” she said.
Neustar warned that DDoS attacks are likely to continue because they are relatively low-cost and easy ways to disrupt competitors and hold organisations to ransom.
This is particularly common among e-commerce sites, financial services, online gambling and online game playing services.
As DDoS attacks continue to become more frequent and complex, Warner said UK businesses need to adopt the right mix of people, processes and technologies to counteract them.
“Technology will only do so much to detect and mitigate DDoS attacks; it is just as important to have the right people on hand who can recognise what is happening and understand how to minimise the impact, and to have processes in place to deal with DDoS attacks before they happen,” she said.
DDoS attacks grow in frequency and complexity
DDoS attacks come in many forms, and while large attacks make the headlines, a well-crafted multi-vector attack as small as 1Gbps and 2Gbps can take down a site, said Warner.
The survey found that most attacks were less than 100Mbps, 70% were under 1Gbps, and only 11% were more than 20Gbps.
Another common trend is to switch between attack methods several times during a single attack that can last for days to keep targeted organisations off-balance.
MORE ON DDoS
- Activists unleash biggest DDoS cyber attack to date
- DDoS attack trends highlight increasing sophistication, larger size
- Business struggling with DDoS and other cyber threats, poll reveals
- A quarter of 2013 DDoS attacks will be app-based, says Gartner
- HSBC back online after DDoS attack
- Police arrest man for DDoS attacks on Theresa May sites
- Five DDoS attack tools that you should know about
- Some activist DDoS attacks growing in sophistication, expert says
- Denial-of-service attacks get easier to set up
- Application-layer DDoS - a new threat vector
Neustar has also seen a growing number of “low and slow” attacks that target web applications rather than attempting to overwhelm a website with high-bandwidth assaults.
“These low and slow attacks will typically be in the form of multiple requests for a .pdf document; they look like normal requests, but can quickly hog all the bandwidth available,” said Warner.
Not all DDoS attacks go after websites, she said, instead they are focusing increasingly on web applications and web-based services such as email.
Another important reason for having a DDoS mitigation capability in place is that it prevents IT security teams from being distracted, as DDoS attacks are often used to mask other, more damaging attacks.
Warner cited the example of a San Francisco bank that was robbed of $900,000 during a DDoS attack that was used as a diversion.
Reducing exposure to the DDoS risk
Smaller organisations will typically look to managed services as a cost-effective way of mitigating DDoS attacks, but should first weigh up potential providers in terms of confidentiality, capacity and geographical location, said Warner.
“The ability of a service provider to handle an attack into Europe out of Asia through a presence in Asia, for example, could be an important factor to consider,” she said.
According to IDC’s 2013 DDoS forecast, organisations that have made a decision to invest in a comprehensive DDoS strategy should include a mix of on-premise and cloud-based monitoring and mitigation capability.
This can be managed internally, externally or a combination of the two, the IDC report said.
The Neustar survey report concludes that while many UK companies are hoping that traditional defences will suffice, “such hopes are badly misplaced” given the frequency and growing complexity of DDoS attacks they are facing.