WikiLeaks Attacks Bringing Needed Attention To DDoS Prevention

The recent distributed denial of service (DDoS) attacks by supporters of the WikiLeaks organization were relatively small among all DDoS attacks, but the outsized media reaction to them brings needed attention to the threat of DDoS attacks in general and to the protections enterprise networks need to take, according to IT security experts.

After WikiLeaks.org released thousands of documents with confidential information about U.S. State Department cables, the third such document release this year, financial services companies such as Visa, MasterCard and PayPal were among those cutting off funding to WikiLeaks. Supporters of WikiLeaks retaliated by launching DDoS attacks against those companies' Web sites earlier this month.

While traffic to those sites was interrupted for a short period, the attacks were small and of limited effectiveness, according to an analysis by Arbor Networks. Despite the attention of mainstream media such as CNN, ABC News and CBS News, among others, "most of the attacks over the last week were both relatively small and unsophisticated," writes Arbor Networks' Craig Labovitz in a Dec. 14 blog post titled "The Internet Goes to War."

According to Arbor's analysis, the DDoS attacks on WikiLeaks' site hosting providers, some of which also severed ties with WikiLeaks over the disclosures, never grew beyond 3 to 4Gbps, meaning that's the speed at which Web page requests were hitting those sites. The point of a DDoS attack is to overwhelm a site with access requests so that the site goes down. Labovitz describes the attacks as "fairly routine" and "more of an annoyance than an imminent critical infrastructure threat."

But while the WikiLeaks attacks were relatively small, DDoS attacks can have collateral effects on other Internet traffic, says Danny McPherson, VP of research and development at VeriSign. A DDoS attack can travel the same path as legitimate Internet traffic and can slow that traffic down, McPherson says.In some cases, this may result only in an e-mail message being delayed by a few seconds, but in the case of a VoIP transmission, the delay could degrade the quality of a voice call. More importantly, a DDoS attack could prevent a network security certificate from being approved.

McPherson calls it "the butterfly effect," akin to the notion that if a butterfly flaps its wings in a South American jungle, it can set off a chain reaction that helps create a typhoon in the South Pacific. "When you launch a DDoS, that [target] is not the only one on the Internet that is affected," he says. "The Internet is inherently multitenant, and there is a very high probability that even with a reasonable-sized attack today, it can cause collateral damage to other users of that infrastructure."

Even though the WikiLeaks attacks were relatively small, at 3 to 4Gbps, a 10Gbps attack could disrupt the Internet backbone of an ISP, McPherson says. He adds that 10Gbps attacks occur across the Internet on average once every three hours. McPherson advises that Internet security officials at enterprises focus on ensuring that data on their networks is kept confidential, that its integrity is protected and that its network remains available to keep business running.

Unfortunately, McPherson says, companies spend 80 percent of their IT security budgets on compliance only. There's a saying in the business, he adds: "Compliance doesn't get you security, but security should get you compliance."