Needed: Better emergency playbook for DDoS attacks

Akamai says DDoS attacks are growing steadily more vicious, aided by massive botnets. At Metricon 5, a senior service line manager warned that companies are short on emergency response playbooks to meet the threat.

WASHINGTON, D.C. -- Akamai Technologies continues to study the massive DDoS attacks that brought government websites to a standstill last year. The picture keeps getting uglier, but emergency planning hasn't improved.

At Securitymetrics.org's Metricon 5 event today, R.H. Powell, senior service line manager for the Cambridge, Mass.-based company, revealed new research and suggested companies do better at planning for these increasingly vicious attacks.

Powell has been watching the DDoS trend from a pretty tall vantage point. Most people use Akamai services without even realizing it. The company runs a global platform with thousands of servers customers rely on to do business online. The company currently handles tens of billions of daily Web interactions for such companies as Audi, NBC, and Fujitsu, and organizations like the U.S. Department of Defense and NASDAQ. There's rarely a moment -- if at all -- when an Akamai customer IS NOT under the DDoS gun.

Also see "The DDoS attack survival guide"

Gleaning data from 200 agent servers whose sole purpose is to listen in on port activity, as well as customer traffic logs and public reports and data from firms such as Forrester Research, Akamai has found, among other things, that:

  • Attacks are increasingly originating from countries like Turkey and Brazil, where Internet use is catching up with the rest of the world but not the security culture. In fact, Powell said, the security culture in these places is practically non-existent.
  • Ninety-five percent of corporate web apps have severe flaws that are at risk of being exploited, aiding the growth of botnets and enabling the more severe DDoS attacks (Powell cited Forrester as the source of that example).
  • Vulnerabilities at the application level are particularly troubling because companies are rushing out new apps every day, widening the attack surface.
  • Powell's assessment mirrors that of his colleague, Akamai CSO Andy Ellis, who told CSO in January that botnets launching many of today's DDoS attacks are so vast that those controlling them probably lost track of how many hijacked machines they control a long time ago. [Listen to the full interview with Ellis in The Long, Strange Evolution of DDoS Attacks]

    "We see a lot less of the fire-and-forget malware-based attacks designed to bog down the machines that were infected," Ellis said, referring to old-school worm attacks like Blaster, Mydoom and Code Red. "Now the malware is used to hijack machines for botnets and the botnets themselves are used as the weapon."

    In the last year, Akamai has seen some of the largest DDoS attacks in recent memory, which Ellis described as "huge attacks of more than 120 gigabytes per second." If you are on the receiving end of that much punch, Ellis said, "It's not a pleasant place to be."

    The massive attack that started July 4, 2009 was a good example of this. In that onslaught, a botnet of some 180,000 hijacked computers hammered U.S. government Web sites and caused headaches for businesses in the U.S. and South Korea. The attack started that Saturday, knocking out websites for the U.S. Federal Trade Commission (FTC) and U.S. Department of Transportation (DOT). US Bancorp, the nation's sixth-largest commercial bank, also took a direct hit.

    Powell said the attack lasted a week and generated 64 billion log lines. Without a doubt, he said, it remains the biggest Internet attack Akamai has seen to date.

    The only silver lining is that the company hasn't seen a huge amount of attack traffic yet from mobile devices. But, he said, "We are watching and waiting warily."

    Powell said Akamai's goal is to get its customers to understand what's happening and do better at blunting the attacks from their own environments.

    "We've found that there's still no emergency playbook for dealing with this kind of threat," he said. "We need to change that."

    Insider: How a good CSO confronts inevitable bad news
    Join the discussion
    Be the first to comment on this article. Our Commenting Policies