India Launches Most DDoS AttacksSecurity Experts Detail DDoS Attack Threats, Defenses
When it comes to distributed denial-of-service attack origin, based on sheer attack-traffic volume, first place goes to India.
So says a new report from security vendor Symantec, which studied DDoS attack patterns across 50 different countries, and found that 26 percent of all DDoS attack traffic in the world originates from India. Second on the list is the United States, which accounts for 17 percent of all DDoS traffic, followed by Singapore at 9 percent. That research was conducted by Symantec's Security Response team, and is based on data collected from January to August 2014 by Symantec's global network of more than 42 million attack sensors, which are based across 157 countries and territories.
Responding to the report, however, multiple information security practitioners say they place less importance on where DDoS attacks originate. Instead, they argue, organizations must focus on how they can better detect, mitigate and prevent such attacks.
Why Attackers Love India
Of all the places in the world that could end up being a hotbed for launching DDoS attacks, India might seem to be a curious choice for attackers. But DDoS attacks often originate in countries that have a high number of bot-infected machines and a low adoption rate of networking technology designed to filter out of spoofed packets, Symantec's report says, and India fits that profile.
Indeed, India has likely become a hotbed for DDoS-launching attackers "because of the [country's] low cybersecurity awareness, lack of adequate security practices and infrastructure," all of which work in attackers' favor, says Tarun Kaura, Symantec's director of technology sales in India.
But that doesn't mean the attackers themselves are located in-country. "The attacks are often orchestrated remotely," Kaura says.
One explanation for why India is an attractive target for DDoS service providers is the lackadaisical attitude to information security best practices found in many Indian enterprises, as well as tight security budgets, cybersecurity expert L. S. Subramanian, CEO of IT consulting firm NISE India, tells Information Security Media Group. Furthermore, he adds, too many end users fail to adequately secure their devices, thus leaving them vulnerable to malware that can infect their PC and turn it into a botnet node, which attackers can then tap to launch DDoS attacks. The same goes for corporate data centers, he adds, since high-bandwidth servers are attractive targets for criminals who want to launch DDoS attacks, or sell that service to others.
Samuel Sathyajith, country manager for India at DDoS defense firm Arbor Networks, says there has been a global resurgence in DDoS attacks in recent years, accompanied by ongoing innovation by attackers, who continue to develop new tools and techniques, as well as to expand their range of targets. India, he says, is likely witnessing that same trend. In particular, there's been an increase in local attacks linked to financial blackmail, in which criminals threaten to knock a business offline, or else attacks that are intended to distract IT security response teams while attackers simultaneously hack their intended target, he says.
In recent years, DDoS attacks have become much more sophisticated. In the old days, attackers would try to overwhelm sites with massives volumes of fake packets. But more recently, attackers have honed exploits that target certain networking protocols, which can result in disruptions using much smaller volumes of packet floods. Another up-and-coming attack involves amplification and reflection, in which attackers send a packet to a server from a forged address, requesting a large amount of data be sent back. With enough such requests, small requests can lead to overwhelming amounts of data flooding a victim's website, with all of the data being sent by an innocent, third-party server.
According to Symantec's study, amplification attacks that target domain name servers have increased by 183 percent in the past eight months.
Another interesting change in the DDoS landscape has been attackers hijacking an increased number of Linux servers, adding them to their botnets, and using them to launch high-volume DDoS attacks, says Symantec's Kaura. He warns that cloud providers aren't immune to such attacks, and are in fact prime targets, given their data centers' powerful servers and high-bandwidth connections.
Ironically, as the impact and severity of DDoS attacks has continued to increase, the cost of hiring a DDoS attack continues to plummet. So-called "booter" services, for example, can reportedly be rented for as little as 300 rupees (about $5), which buys a DDoS attacks against any target, lasting for at least a few minutes. While that might seem insignificant, booter services are often used by gamers, who literally want to boot their competitors off of multiplayer games, to gain an edge. For big booter users, some service providers even offer monthly plans.
Finally, there's also been an increase in DDoS attacks originating from mobile and Internet of Things devices, according to Symantec's report. As more such devices get connected to the Internet, security experts expect attackers to take notice.
Subramanian says that absence of a global agency that can monitor and crack down on Internet crime, such as Interpol, is also driving DDoS growth.
How To Fight Back
To counter the threat posed by DDoS attacks, Kaura says every business's incident response playbook should include a DDoS attack recovery plan. To build that plan, many experts recommend that whenever possible, organizations work with computer emergency response teams, and ensure that their in-house security personnel have up-to-date contact information for all service and Web hosting providers. Such preparation often proves essential for mitigating in-progress attacks.
NISE India's Subramanian says any effective DDoS defense plan must include proactive monitoring, including both tools and trained personnel. Educating all end users, as well as IT staff, about their role in helping to prevent DDoS attacks is also essential, he says.
CISOs in particular must remain vigilant against DDoS attacks, and harden their Internet-facing servers and applications to better withstand related attacks, says Satish Das, who until recently served as the CISO of Cognizant Technologies. "DDoS is an attack one can't avoid, but can only bypass with effective controls and flexibility built [into] the infrastructure," he says.