I was just reading this report from Arbor Networks which has some really valuable data on the size of DDOS attacks on the Internet.
If you don’t know, Arbor Networks makes a DDOS appliance that is used by many of the carriers to detect and mitigate DDOS attacks at very large scale. Many of the appliances installed send information back to Arbor as part of a distributed analysis service. Because of information, apparently “obtained from ~100 ISP’s” they have a very good view on a widely distributed problem.
Here are the scary bits.
That said, to the data… There were 350,367 discrete anomalies reported within the 12-month study period, with 20,280 (~5.8%) of these exceeding 1 Gbps.
With just over 20k attacks larger than 1 Gbps in 2009, we collected a registered incident of 1 Gbps or larger roughly every 26 minutes throughout the year, and received a reportable attack every ~90 seconds. Furthermore, we observed a registered 10 Gbps or larger attack roughly every 190 minutes (just over 3 hours).
Many people think that because they learned about Denial of Service in CCSP training that they have the tools to fix a DDOS attack. A bit of TCP SYN flood protection, some “threat detection” on the Cisco ASA or maybe using an IPS module isn’t going to be enough when someone can flood your entire Internet connection. Even if you can afford a 1 Gigabit connection, the Arbor report clearly shows that an attacker can easily exceed that bandwidth, and you will be down and all your prevention will be for nothing.
To generate that much traffic means that someone has a strong desire to attack. This would require a bot net and not just a single Internet connection and require a reasonable amount of intent and organisation.
On the other hand, smaller DDOS attacks can be equally effective. A TCP SYN flood to a single address which takes your email server down for a couple of days is still effective even though it might use less than 500 Kbps of bandwidth.
As an example of evaluating your security risks before solving the problem this is a classic security dilemma. Do you put in expensive firewalls and DDOS defences, or upgrade your bandwidth. Remember that upgrading your bandwidth will also improve the response time of your Internet connection because the reduced serialisation delay between 100Mbits and 1000Mbits (or even 10Gbps) has a real impact on user performance.
If you go for adding the expensive DDOS appliances, and the DDOS attack overruns your bandwidth, you look stupid. If you go for more bandwidth but skip the expensive DDOS gear, you could get taken out by a reasonably small DDOS event.
So the DDOS problem is many faceted. It can be bigger than any bandwidth than you can reasonably buy, it can be small enough to take down your servers if you don’t buy the right tools. A lose/lose situation.
Take these comforting closing words from the Arbor report:
To that point, I suspect it would be safe to assume that the probability of an effectively-sized attack targeting a given Internet property today is higher than the probability of a fire that affects that enterprises Internet availability and online presence (something I’ll look to qualify) – whilst from a business continuity perspective the latter is quite likely what the enterprise values most in today’s ‘connected’ world.
“Hey Boss, how much money do we spend on fire prevention ?”