A growing number of the DDoS attacks that hit UK organisations in 2013 were probably diversions designed to distract defenders from attempted data breaches or frauds, a survey and analysis by mitigation firm Neustar has suggested.
Almost one in three of the 331 UK firms surveyed reported they had been victims of DDoS attacks during the period, up from about one in five the year before, with attacks getting longer, somewhat larger and more persistent.
The overwhelming majority of attacks lasted from a few hours to two days in duration, with very long-lived attacks of a week or more falling from 22 percent in 2012 to 9 percent in 2013.
Reflecting greater investment in defence, attacks have grown in size with 60 percent now anything from 1Gbps to 20Gbps or larger. As has been well documented, extremely large attacks of 100Gbps or higher are a new trend although at that size the nuisance value is quickly passed to service providers rather than enterprises.
Overall, the rise of DDoS is turning into a significant cost of business, consuming staff resources; 32 percent of UK businesses now estimate that they lose about £10,000 ($16,500) for every hour of an attack equivalent to a quarter of a million pounds per day.
As bad as DDoS attacks have become in the UK, they are still less common than in the US, with Neustar’s figures showing that nearly twice as many firms there reported experiencing them.
The important but hard-to-assess question is what is driving the rise in DDoS across the UK, US and elsewhere. Attackers don’t always flag their motivations, which could cover anything from straight extortion, hacktivism, the actions of a competitor and, more rarely, a politically-motivated attack by a foreign state.
Neustar’s analysis shows that a growing explanation is ‘smokescreening’, that is using a DDoS to occupy defenders while a data breach is attempted. This can take a number of forms depending on the sector, with an example from the banking industry being a DDoS against infrastructure that coincides with an attempt to drain customer accounts through ATMs.
According to Neustar’s market manager Susan Warner, a tell-tale sign that a DDoS might have had a diversionary intention is simply that enterprises can’t understand why they were attacked in the first place.
“A lot of times, firms don’t make the connection,” she says. If an enterprise can’t understand why it was attacked – i.e. no extortion demand or hacktivist message was received for example - the possibility of attempted data theft “is probably a good place to start.”
Globally, just over half of those reporting an attack said that it had coincided with the arrival of malware, 19 percent were aware of customer data theft, 14 percent financial theft, and 9 percent loss of IP. Neustar doesn't break these numbers down by country but a similar breakdown would almost certainly apply to the UK too.
As in the firm’s 2012 survey, most organisations rely on firewalls to protect themselves with only a minority deploying either a DDoS mitigation appliance or some kind of service equivalent; 12 percent said they had no specific DDoS protection in place.
Gradually, regulators are bearing down on this passive approach, with the Federal Financial Institutions Examination Council (FFIEC) in the US requiring banks to put in place response plans to cope with this kind of attack.
What does a DDoS attack look like? Watch Neustar's Youtube visualisation.