Andrea Danti - Fotolia

Complacency about DDoS attacks puts businesses at risk, survey shows

Attention is turning to application data breaches, network attacks and malware, despite 60% of respondents saying they are worried about DDoS attacks, a survey shows

Complacency about distributed denial of service (DDoS) attacks is putting businesses at risk, a survey has revealed.

Investment in specific DDoS protection is relatively low, according to a survey by F5 Networks at Infosecurity Europe 2015 in London.

Attention is turning to application data breaches, network attacks and malware, despite 60% of respondents saying they are worried about DDoS attacks and 39% admitting it is likely their organisation has already been targeted.

Similarly to advanced persistent threats (APTs), many DDoS attacks are starting to be characterised by long durations, repetition and changing attack vectors, according to a recent report by Imperva.

Almost 40% of the organisations questioned are using a firewall to protect against DDoS attacks, with web application firewalls preferred by 26% of respondents, but investment in specific DDoS protection, either on or off premise, scored much lower.

However, firewalls are not sufficient as they often cause bottlenecks and accelerate outages during attacks, according to a report published in March by communications and analysis firm Neustar.

With cyber criminal services available to enable anyone to take down a website using DDoS attacks for just $6 a month, it is clear increasing mitigation capacity alone is not enough, said Neustar senior vice-president and fellow Rodney Joffe. 

“We have to become more strategic. The online community needs to develop industry-based mitigation technologies that incorporate mechanisms to distribute attack source information to internet service providers so they can stop attacks closer to the source,” he said.

Gary Newe, technical director of UK, Ireland and Sub-Saharan Africa at F5, said he was surprised DDoS attacks are not among the top three concern for businesses. 

“DDoS attacks are still coming thick and fast, with an ever-increasing level of sophistication. Businesses must continue to invest in protecting themselves against attacks of this kind,” he added.

The survey also revealed the evolving technology landscape is making security more challenging, with 76% of respondents stating that with cloud computing and increased use of personal mobile devices for work purposes, the ability to maintain consistent security and availability policies has become more difficult in the past three years.

However, respondents are still looking to innovate and take on board opportunities to drive efficiencies in their business. More than a quarter of respondents are looking to use software defined networking (SDN) technologies in their datacentre in the near future, but 20% believe SDN environments are more vulnerable to attacks. The top three security concerns are bugs and vulnerabilities in the applications (26%), the exploitation of centralised controllers (21%) and the development and deployment of malicious applications on controllers (15%).

Read more about DDoS attacks

  • DDoS attacks could expose 40% of businesses to losses of£100,000 or more an hour at peak times.
  • All indications show DDoS attacks are increasing in variety, number and size.
  • Cyber threats evolve at the same pace as technology, and denial-of-service attacks are no different.
  • Employ a mix of internal and cloud-based DDoS mitigation controls to minimise business disruptions from these increasingly complex attacks.

Newe said it is interesting to see many organisations considering implementing SDN technologies, although there is still plenty of scepticism. 

“Further education is certainly required before businesses fully embrace the opportunities for speed and agility afforded by this type of environment,” he said.

The survey also revealed 52% of respondents are concerned about the planned Investigatory Powers Bill, with 32% citing worries around the government having more “big brother” style powers. But only 18% said they are concerned about government access to personal data and 13% about access to corporate data.

When asked about the internet of things (IoT), respondents highlighted concerns around data loss (26%), security around managing an increasingly complex environment and securing customer data (23%), and the increasing complexities around managing connected devices (21%). Only 3% of respondents have no concerns around IoT technologies, suggesting a need for greater collaboration, security and education in this space.

Newe said it is not surprising the security community is concerned about IoT and the Investigatory Powers Bill.

 “The respondents are at the front line in protecting enterprises against external threats and in modernising IT infrastructure for an evermore connected world. There is still a great deal of uncertainty in these areas, and it will be crucial for the government and business community, including their security teams, to engage in the debates about the roll-out of both,” he said.

Read more on Hackers and cybercrime prevention