polygraphus - Fotolia

DDoS attack disrupts 123 Reg services despite DDoS protection

UK domain name and hosting service hit by distributed denial of service attack, underling the importance of adequate mitigation systems

A distributed denial of service (DDoS) attack has disrupted services at UK domain name registration and web hosting firm 123 Reg, including taking the company’s own website offline.

This is despite the fact that 123 Reg has some DDoS protection in place, which it claims curtailed most of the attack, enabling it to be contained within 30 minutes.

However, the more than 30 gigabits per second (Gbps) attack still interrupted 123 Reg’s services, knocking some customer email systems and websites offline.

The company did not provide any details of what DDoS protection it is using and apologised for what it described as “a huge scale” attack, saying only about 10% of DDoS attacks are in this range.

But DDoS attacks increased in size, complexity and frequency in the first half of 2016, with the largest attack measured at 579Gbps, according to the latest report by Arbor Networks.

In first half of this year, Arbor recorded 274 attacks over 100Gbps and 46 attacks over 200Gbps, up 22% and 187%, respectively, when compared with the whole of 2015.

The duration of DDoS attacks is also increasing, according to a Kaspersky Lab report which said attacks lasting 20 to 49 hours accounted for 9% of those in the second quarter of 2016, up from 4% in the first quarter, and those lasting 50 to 99 hours accounted for 4%, up from 1% in the first quarter.

Longest attack

The longest DDoS attack in the second quarter of 2016 lasted 291 hours (12 days), a significant increase on the first-quarter maximum of eight days.

“Thirty minutes may seem like an effective response time against such a powerful DDoS attack, but a survey from IDC last year found that the average cost of critical application failure was between £375,000 and £750,000 per hour, so every second counts when critical systems such as email are down,” said Wieland Alge, vice-president and general manager for Europe at Barracuda Networks.

“The key to effective DDoS protection is the ability distinguish real users from malicious requests, so that suspicious traffic can be blocked or challenged, but this is not easily done,” he added.

According to Alge, a network firewall can protect Layer 4 protocols and even do deep packet inspection, but truly protecting against web application layer attacks generally requires terminating the HTTP or HTTPS protocols and often rewriting traffic to identify and mitigate threats.

Read more about DDoS attacks

“Just as a network firewall is not designed to stop spam, it is also not designed to stop web application attacks,” he said. “This type of misunderstanding leaves the web application exposed, and gives the administrator a false sense of security. A web application firewall is much better suited to combating DDoS attacks.”

Businesses should also consider some form of dynamic client fingerprinting as part of any DDoS solution, said Alge.

“Mechanisms that can detect suspicious clients using script injections and challenge suspected malicious requests with a CAPTCHA test can be a lifesaver when a DDoS army is very distributed, stays below the rate control radar, and its user systems have not been blacklisted,” he said.

The DDoS attack on 123 Reg highlights the fact that DDoS remains a common attack type due to the easy availability of free tools and inexpensive online services that enable anyone with a grievance and an internet connection to launch an attack, and that not all DDoS mitigation techniques provide the same level of protection.

Read more on Hackers and cybercrime prevention