As DDoS attacks become front-page news, one botnet master says the security industry is ten steps behind.

DDoS Attacks Plateauing
People peer into a server room during the grand opening of Hewlett-Packard's Executive Briefing Center in Palo Alto, California (Credit: Reuters)

DDoS, or distributed denial of service, cyber-attacks became front-page news in March when an attack dubbed the 'largest cyber-attack in history' hit an anti-spam organisation. The attack saw Spamhaus servers flooded with 300 billion bits of data per second, which is around three times the size of the largest attack seen previously.

While an attack of this size has so far been a one-off there are hundreds if not thousands of people around the globe who are making millions of pounds every year by hiring out the networks of zombie computers known as botnets which carry out these attacks.

"Making money with a botnet is easier than brushing your teeth," an unnamed hacker told Robert Hansen, Director of Product Management at WhiteHat Security, as reported in his two-part interview. The hacker said it amazed him he was able to make as much money as the average monthly industrial wage in a few hours typing on a laptop while watching TV.

In recent years hacking has become much more accessible with the automation of tools allowing even those with limited technical knowledge to make money.

At one stage the anonymous hacker said he was making "millions" every year from a variety of hacking techniques, including carrying out DDoS attacks on behalf of customers. While that has now been reduced somewhat as people become more aware of cyber threats, the hacker intimated he had already earned over $300,000 this year.

Centrally controlled

DDoS attacks are typically carried out by networks of PCs which have been infected with malware and can then be centrally controlled to send huge volumes of traffic towards a particular website or server, knocking the services offline for a period of time.

These botnets are rented out for as short as 30 minutes at a time, with those renting them typically blackmailing their targets by threatening to keep their businesses offline unless they pay up.

It's a system which clearly works, but as one major European gaming company told IBTimes UK exclusively this week, there are ways to prevent this type of attack without having to pay out to blackmailers.

Speaking on the basis of anonymity the head of security for the gaming company which specialises in live casino games, spoke about a persistent series of DDoS attacks which threatened the company and its customers just over a year ago.

The attacks, which took place every Sunday morning/afternoon for up to two months, cost the company over €100,000 in lost revenue and much more in lost credibility. The attacks took place at that specific time as the attackers knew the normal security team would not be working and it would be easier to bring down the company's servers.

Identity

The attackers were not known, and most likely rented a botnet to carry out the attack, making it virtually impossible to trace their real identity. The head of security speculated that it could have been a rival company who carried out the attack or a customer seeking revenge having lost a lot of money on one of the sites supported by this company.

The company was able to mitigate the attacks using DDoS mitigation techniques which are able to divert the huge volume of traffic targeting the site. While employing this security measure is not free, the anonymous botnet master told Hansen he was amazed more online companies didn't use it:

"Companies don't purchase DDoS protection. Cloudflare for example offers incredibly strong DDoS protection for $200 a month (also it's harder to jack a Cloudflare domain). If I extort you for $200-$1000 for one day why not make yourself immune for the minimal fee?"

Atypical

Attacks the size of the Spamhaus attack are atypical however and according to research published by Arbor Networks the size of these volumetric type of DDoS attack is plateauing, though not because of technical restrictions

When asked for the reason we have not seen more attacks like the one which hit Spamhaus in March, Darren Anstee from Arbor is stumped: "The answer is that, very simply, I don't know. The capability to generate larger attacks has been out there for quite a long time. If you look at Spamhaus the attack vector that was used was nothing new, they just leveraged the capabilities that were already out there on the internet."

The reason we are not seeing bigger attacks on the scale of Spamhaus is that attackers simply don't have to boost their attacks for them to work:

"Attackers have realised to an extent that 100Gbps is enough to hurt the majority of the targets that are out there, and most targets will have significant issues with dealing with 100Gbps of traffic, in fact some service providers would have issues with that, especially if they don't have the right solutions in place to deal with the attack traffic," Anstee says.