July DDoS Damage Could Have Been Contained

Far from being exemplary of the state-of-the-art in cyber warfare, July’s DDoS attacks were exemplary of something else: the state-of-the-mundane.

• By Stephen Swoyer
• 08/04/2009

Remember those pesky DDoS attacks that slammed U.S. and South Korean Web sites last month? Far from being anomalous or exemplary of the state-of-the-art in cyber warfare, industry watchers say they’re exemplary of something else -- namely, the state-of-the-mundane.

John Pescatore, an analyst with market watcher Gartner Inc., says July’s DDoS attacks -- which are similar in nature (if not in scope) to other extant packet storm attacks -- basically amount to business as usual in a roiling cyberscape. The not-so-surprising upshot, Pescatore and other security professionals argue, is that the organizations targeted by the attack -- which included several prominent agencies attached to both the United States and South Korea -- simply hadn’t taken appropriate steps to protect themselves.

The attacks -- which targeted the U.S. Secret Service, the Treasury Department, the Federal Trade Commission, and other agencies in the United States, as well as the South Korean Defense Ministry -- came in three discrete waves, starting July 4 and extending through July 9.

Some sources believe the attacks to be the work of North Korean agitators; others stress that there’s simply no way, at this point, to attribute provenance or authorship. The issue is complicated by the crudity of the attack code. The simple fact of the matter, Gartner’s Pescatore argues, is that the attacks weren’t very sophisticated: the botnet software, for example, recycles malicious code from other (altogether more state-of-the-art) attack exploits, such as MyDoom, which is more than five years old.

“The targets of these attacks, and the differences in their ability to protect themselves, are actually much more interesting than the attacks themselves. The malicious code used appears not to be very sophisticated, and the scope of the attack -- with approximately 50,000 PCs apparently compromised -- is not very large, compared with many other DDoS attacks in recent years,” wrote Pescatore, in a Gartner research blast.

He points to similar interruptions in the past, such as the 2000 DDoS attacks (the work of a Canadian teenager dubbed “mafiaboy”) that crippled prominent Web sites like Yahoo and CNN; he says those attacks don’t differ all that drastically, in either sophistication or severity, from July’s attacks.

The DDoS activity, for example, generated between 20 and 25 Mbps of data; that’s sizeable but nonetheless manageable, according to security pros. Indeed, Jose Nazario, manager of security research with DDoS specialist Arbor Networks, told The New York Times that the data generated by the packet storm bots wasn’t sufficient to cripple most of the sites under attack.

That’s the point, as far as Pescatore is concerned: the July attacks could have and should have been avoided. That they weren’t speaks to the fact that many business and public sector organizations are simply -- and inconceivably -- behind the curve, at least when it comes to safeguarding against the state-of-the-mundane.

“[S]ites [like Yahoo and CNN] quickly learned to protect themselves, but DDoS attacks have continued to hit many businesses during the past five years, partly because they have failed to recognize that preventing impact is simply part of the cost of doing business on the Internet,” he noted. “Businesses and government agencies that have deployed due-diligence levels of protection should have routinely detected these latest attacks and quickly mitigated their impact,” Pescatore continued, adding that it is incumbent on any organization which depends on its Web presence to safeguard itself against DDoS.

Protection “is widely available in the form of service offerings from telecommunications carriers and service providers and -- less effectively customer premises equipment that can be owned and operated locally,” he concluded.