Mumsnet was probably the moment when UK SME businesses finally woke up to the threat facing the sector from DDoS attacks. Traditionally seen as the preserve of larger businesses, the hugely popular site for parents was hit by at least three attacks in August that successfully took the site offline for hours at a time.
For Mumsnet it was a case of no website, no business, even if the DDoS attacks themselves were only one part of a much longer-running and more complex campaign that included a Heartbleed-derived data breach in 2014, a recent mass phishing attack on its members and even a ‘swatting’ attack on the site’s founder, Justine Roberts. The DDoS attacks stick in the mind because they were visible – the members couldn’t reach or log into the site.
To rub the point home in a different sphere, not long after, on 1 September the website of the UK National Crime Agency was taken offline by a DDoS, digital revenge for arrests of UK teens allegedly connected to the activities of the Lizard Squad. Hours later, it was the turn of the website of Great Manchester Police to be hit affected by a DDoS for two hours.
What these attacks demonstrate is that SMEs who operate business or information services online are unusually vulnerable to DDoS attacks, both on a technical and reputational level. Many will lack experience and resources, very few will have protection in place. To make matters worse, specific extortion groups (see Techworld feature on the DD4BC) have started preying on SMEs as a deliberate policy, threatening attacks if a ransom is not paid, usually one some way below the financial cost of disruption.
Larger organisations bought protection against DDoS attacks and so, naturally, the criminals decided to look for new victims in a wider range of industry sectors and countries.
Why are DDoS attacks getting worse?
The simple answer is that attackers have moved from using old-fashioned botnets to using hijacked armies of cloud-base servers. It is that technological change, and the huge resources it offers, which is fuelling the rise in larger DDoS attacks but also their spread to all sectors across the globe.
DDoS attacks come in a number of forms, ranging from the targeted extortion of DD4BC, through hacktivism to ‘low and slow’ distraction attacks often used as a cover for data theft. As to conducting attacks, the arsenal of possibilities is large and seems only to grow – old-style HTTP floods, SYN packet attacks, amplification attacks exploiting one or more protocols (NTP, DNS), and even specially-written tools such as Slowloris. SMEs are now at risk of being on the receiving end of any one of these attack types from data theft covers to simple extortion and hacktivism.
So how should online SMEs defend themselves? The perception persists that UK-based SMEs are either not addressed by specific services or can’t afford them if they are. Although the market for SME anti-DDoS is in its early days, neither of these turns out to be true, indeed in time this could turn into the industry’s biggest sector.
As Marc Gaffan of DDoS firm Incapsula (acquired by Imperva) puts it, “most companies today should be worried about DDoS. This sounds very self-serving but DDoS is becoming an essential part of your online infrastructure.”
UK SMEs and DDoS attacks - Forget about firewalls
It’s a bad idea to put firewalls in front of servers as some kind of protection for a host of reasons and doing so will almost always makes things much worse. Firewalls are stateful devices whose internal tables are finite – overloading that is a trivial task for any DDoS attacker and a SYN flood. Less experienced admins sometimes get confused about the capacity of a firewalls, stated in Mbps, but in the real world firewalls can be overloaded by a DDoS attack long before that maximum is reached. When they do finally keel over, the reboot cycle will feel about as bad as the denial of service attack they were trying to mitigate.
SMEs can massively improve on firewalls by buying specialised DDoS mitigation appliances designed to do the job properly but this class of hardware can be pricey and has to be managed, rendering it impractical for most firms. Putting equipment onsite also won’t offer an answer to large volumetric attacks that simply exceed the bandwidth of an organisation’s WAN connection.
UK SMEs and DDoS attacks - Have a plan 'A'
The first line of defence is to have decided what to do in advance. When researching this article that was the single biggest observation made by DDoS experts – many smaller organisations simply have no policy in place to deal with a DDoS attack on any scale. Awareness of the problem is simply something that the IT team is supposed to field as best they can, bothering management only when things cross a certain threshold. This sort of reactive security hugely slows down response, making whatever course of action is chosen more expensive in the long run.
Contact the ISP or hosting provider
The first action of any company that believes it is being affected by a DDoS is to contact the ISP, hosting provider or Managed Security Service Provider (MSSP), who will be able to confirm this. This sounds obvious but it’s important to find out about the nature of the attack, enable any protections that come with hosting, and confirm whether the slowdown is caused by a direct attack on the company or as part of an attack on another set of IPs that happen to be in the same datacentre. ISPs don’t always venture this information.
The ISP will also be able to recommend DDoS mitigation, sometimes described as ‘scrubbing’ services. Branded examples of such services would be Cloudflare, Imperva’s Incapsula, Akamai (which acquired Prolexic), Neustar and even Verisign, all of which have various tiers of protection depending on what is being protected and against what size and type of attacks in the form of a Service Level Agreement (SLA). (Note: not all the above address the SME market in name but low-volume packages usually amount to the same thing.)
How much is this likely to cost?
The mitigation firms we contacted were reluctant to go on the record about the pricing of the service level tiers, citing commercial confidentiality. A ballpark figure we prised out of them for ‘front-ending’ traffic started at around approaching $1,000 (£700) per month through $2,000-$4,000 (£2,000) per month to $10,000 (£7,500).
The differences in price relate to the point at which the SLAs become 24/7, which not every SME will be able to afford or need. But dealing with a Mumsnet-style nuisance attack could, we were told, be bought for the lower end of this price spectrum.
Remember, buying mitigation isn't just a matter of buying the bandwidth to scrub large attacks but the expertise to quickly defuse them. These firms employ engineers who see a range of different types of attack every day and are experts at interrogating and defending against them. They will also be able to defend cloud applications in a way no ISP can.
"This [mitigation] is a form of insurance - you don’t buy it when your house is burning down,” comments Roland Dobbins, principal engineer at DDoS equipment maker and services firm, Arbor Networks, dryly.
Next: Cost of attacks
UK SMEs and DDoS attacks - Calculating the cost of an attack
Assessing the financial overhead of using a protection service has to be calculated against the cost of an attack in terms of downtime, transactions lost and reputational damage. These costs will vary by business sector but for any online business (see Mumsnet example above) it could be equivalent to having no business while the attack takes place.
“DDoS defence is about business continuity,” says Dobbins. “How much does a loss of availability cost per hour in terms of operation, lost business and loss of reputation?”
This is a polite way of saying that DDoS defence is now a form of risk management in the same vein as the sorts of insurance SMEs would buy to cover disasters, theft or other business problems. For those investing in cyber-risk insurance, DDoS might even be on the policy although mitigation through a service will always have the added advantage of deterring future attacks.
No shame in DDoS
A final piece of advice that might not be obvious – if the site slows or falls over because of a DDoS attacks, don’t fall into the trap of hiding it. Once upon a time there was an odd shame in being singled out for DDoS attacks but those days are long gone; any firm can find itself being DDoSed.
“They [Mumsnet} handled it in the best possible way,” comments Arbor’s Dobbins. “As soon as they understood what happened they communicated what had happened in a very open way. It is very important to be transparent about it.”
“We don’t see enough of that. A lot of organisations don’t understand what’s happening and then there is often an instinctive desire to keep quiet about it. That is always a mistake. You have to be transparent and give a post-mortem.”
Mumsnet, for one, admitted it had contracted DDoS protection after the August attacks from an unnamed firm.
In the past, hiding thigs was seen as cautious. But in an era when DDoS attacks and data breaches have become an everyday event, hiding things is actually now more risky if rumours swell, or customers start interpreting a loss of service as evidence of a more serious problem. Where DDoS attacks are now concerned, openness could be the more cautious response.