Twitch.tv is just the latest distributed denial-of-service (DDoS) victim in a seemingly never-ending stream of attacks. Shortly after Amazon announced that it had acquired the streaming gaming service, Twitch.tv experienced a coordinated DDoS attack that completely shut it down. For those who make their livelihood through the service, this attack was more than a nuisance. Failing to understand how DDoS attacks work and how dangerous they can be leaves your network open to risk. Below is a compilation of myths that you need to overcome if you hope to protect your assets.
Myth 1: Hackers launch DDoS attacks to consume network bandwidth.
In the news, the seriousness of a DDoS attack is typically measured by the size or amount of attack traffic (e.g. number of Gigabits per second). By using only this measure, the media leads many people to mistakenly believe that all DDoS attacks are targeting bandwidth resources. In fact, DDoS attacks can also be designed to consume system and application resources as well. Thus, the size of the attack traffic is only one of several aspects that determine the severity of an attack.
That’s because the same amount of attack traffic can produce a greater or lesser impact depending on the method employed. Sometimes, people mistakenly assume that SYN flood attacks are a type of DDoS attack that targets network bandwidth resources. In fact, the primary threat posed by SYN flood attacks is their consumption of connection table resources. Even with exactly the same level of attack traffic, a SYN flood attack is more dangerous than a UDP flood attack.
Myth 2: DDoS attacks are always flood attacks.
A DDoS attack connotes the idea of speed. Many people think of UDP flood attacks, SYN flood-type attacks, RST flood-type attacks and the like when they hear the phrase “DDoS attack.” In fact, although flood-type attacks account for a large proportion of DDoS attacks, not all of them are. There are also low-and-slow attack methods. Essentially, a DDoS attack consumes a large number of resources or occupies them for a long period of time in order to deny services to other users. Flood-type attacks rapidly send a large amount of data and requests to the target, but low-and-slow attacks are different. They slowly but persistently send requests to the target and thus occupy resources for a long time, eating away at the target’s resources bit by bit. If we view a DDoS attack as an assassination, a flood-type attack is like an assassin who uses a machine gun. A low-and-slow attack is akin to death by a thousand cuts.
Myth 3: Botnets of hijacked PCs are the source of all DDoS attacks.
Internet security professionals adhere to the tenet that all DDoS attacks are launched from botnets. However, not all attacks are carried out by botnets composed of personal computers that have been hijacked by hackers. As technology has advanced, the processing performance and bandwidth of high-performance servers used by service providers have rapidly increased. Correspondingly, the development and use of traditional botnets composed of PCs have slowed. Besides the processing capability factor, PCs normally have very limited bandwidth resources, and their in-use periods fluctuate. Therefore, some hackers have begun to look to high-performance servers; these were used during Operation Ababil’s attacks on U.S. banks. In addition, attacks are not always carried out by commandeering sources; the hacktivist group Anonymousprefers to launch attacks using large numbers of real participants. We call this a “voluntary botnet.”
Myth 4: Vandalism and mischief are the only goals of DDoS attacks.
People don’t understand the motives of hackers; why use all that brainpower for no purpose? DDoS attacks take some technical skill and directly result in the destruction of network service availability. This doesn’t seem to benefit hackers, but hiding behind this simplistic stereotype are hackers who know the value of a bitcoin. The current generation of hackers are much more sensitive to benefit calculations than average people. They use destructive power in exchange for profit, they use destructive deterrents to avoid losses to themselves and they use destruction as leverage to shift the playing field to their advantage. Destruction is only one part of DDoS attack motivation; the true goal is almost always profit of some sort.
Myth 5: DDoS attacks are not a concern for small websites and businesses.
If you operate a website, even if you derive little income from it or engage in non-profit activities, you are still not exempt. Any site can be considered fair game for profit. When cybercriminals are choosing extortion targets, they know that attacks on major websites may be more profitable, but at the same time the costs and risks are usually also greater. However, with smaller sites, their defenses are usually weaker and an attack is more likely to succeed. Furthermore, competition is one of the major reasons that spurs DDoS attacks. Newcomer businesses may attack established businesses to steal customers, and established businesses may attack newcomers to remove potential competition. Malicious retaliatory attacks might not be concerned with size and scale; they may just want to prove a point. As long as a website is vulnerable, it may suffer a DDoS attack.