‎DDoS is a threat to all businesses, says Neustar

No business can be confident it will not be hit by DDoS attacks, says communications and analysis firm Neustar

No business can be confident it will not be hit by a distributed denial of service (DDoS) attack, according to communications and analysis firm Neustar.

DDoS attacks are used for a wide variety of reasons and have become increasingly easy to carry out, said Rodney Joffe, senior vice-president, senior technologist and fellow at Neustar.  

“It would be extremely naïve for any business to think it is safe because it is too small or unimportant to be hit by a DDoS attack,” he told Computer Weekly.

Joffe said the likelihood is high and increasing because new types of distributed denial of service attacks are continually emerging and being deployed for a growing number of reasons.

“Bragging rights were the initial motivation, be we now see DDoS attacks used to extort money, highlight social or political causes, cover other criminal activity and harm competitors,” said Joffe.

At the top end of the scale DDoS attacks are being carried out by nation states in support of domestic industries, and at the bottom end by disgruntled former employees or unhappy customers.

The well-publicised DDoS attack against Spamhaus in March 2013 is an example of how a single person can unleash powerful attacks on an organisation to “teach them a lesson”, said Joffe.

“DDoS attacking services have become a commodity and make it possible for anyone to set up a DDoS attack against anyone for any reason,” he said.

DDoS attacks are used to extort money, highlight social or political causes, cover other criminal activity and harm competitors

Rodney Joffe, Neustar

DDoS-for-hire or “booter” services can cost as little as £3 to £10 an hour to take a target company offline or disrupt their online communications, which would cut off most organisations from their supply chain.

“It is impossible for any organisation to know if or when it will be hit by any one of these DDoS attacks or some combination of them, so it is best to be prepared,” said Joffe.

“No organisation can say it has never fired anyone and never angered a customer or activist group, which means any organisation can be a target of a DDoS attack,” he said.

Organisations should accept the reality of DDoS attacks and approach investing in anti-DDoS capabilities as they would investing in an insurance policy, considering the potential cost of being hit.

This includes the cost of lost business, damage to reputation, lost loyalty and supply chain disruption.

“Unfortunately, almost no-one approaches DDoS protection in this way, but they soon get religion when they are in the middle of an attack and it is costing them £2,500 a minute to be offline,” said Joffe.

But DDoS does not only affect online businesses, he said. An easy cost impact analysis for non-online businesses is to look at the effects being offline would have on communications with suppliers.

Most companies rely on web-based communications channels to manage their supply chains, especially those that use just-in-time demand-based systems to place orders.

But when it comes to building defences, Joffe said organisations need to be smart because simply adding extra network capacity is a losing strategy.

“No matter how much bandwidth an organisation has, attackers will always be able to go one better to take them down,” he said.

Neustar said the best-practice approach is to build some capacity on site to handle small attacks, but also have an outside mitigation service to deal with the most severe attacks.

“It is also important for organisations to have the capacity to undertand how an attack’s command and control mechanism works so that it can be shut down quickly,” said Joffe.

“Brute force is no longer enough. Organisations have to be more intelligent in approaching DDoS attacks by identifying who is behind them,” he said.

According to Joffe, this approach is paying off as countries that formerly turned a blind eye to cyber criminal activities become more receptive to international pressure to take a harder line.

“Where there is capacity to identify the criminals behind DDoS attacks, we are seeing people being arrested and going to jail,” he said. 

This is also a useful approach where DDoS attacks are used as a smokescreen for other criminal activities.

“It is fairly common, for example, for cyber criminals to DDoS a bank as a distraction and to disrupt call centre services to mask illegal account transfers being carried out at the same time,” said Joffe. 

DDoS attacks by nation states are typically more difficult to tackle but, while they do happen, they are not very common, he said.

According to Joffe, while criminal DDoS attacks are two to three times greater in the US than in the UK, most of the growth is now in the UK.

“For all businesses, information security should now be about risk management to defend as much as possible, and then finding ways to detect and mitigate the effects of attacks when they occur,” he said.

An important part of that risk mitigation strategy, he said, is an effective incident response plan that is practised regularly.

Neustar, which estimates IT downtime would cost $250,000 an hour, holds weekly incident response drills that involve company executives, the legal department and corporate communications.

Companies should regard regular drills aimed at ensuring incident response is well ingrained in all members of staff as “cheap insurance” that greatly contributes to reducing the risk, said Joffe.

Read more on Hackers and cybercrime prevention