ASM Editor Chris Cubbage interviews Roland Dobbins, Arbor Networks Solutions Architect for Asia-Pacific.
Mr Dobbins is the author of the 7th Annual Worldwide Security Infrastructure Report, 2012 which reveals the Distributed Denial of Service (DDoS) threat landscape, attack motives and the first ever IPv6 attack.
CC: What jumps out initially is the ideological motivated hactivism that you have raised as the single most readily identified motivation behind DDoS attacks. In terms of hactivism, what is the major motivation do you think behind those types of attacks, rather than just being financially motivated?
RD: They are ideologically motivated and it really crosses the entire ideological and political spectrum. So there is no one particular group with a particular axe to grind who can really be identified, it really crosses the entire spectrum.
CC: Is there any consistencies in the type of attacks that would indicate that it is one type of group? Are we talking extremists or environmentalists? Is there any correlation in the data in the types of attack? For you to say the most motivation is ideological.
RD: Not really. We asked the question, we get a list of 10 or 12 different motivations, please rank how common you find these motivations all the way from not applicable all the way up through to quite common place on a scale 0 – 5. And when you speak to Internet Service Provider’s (ISP’s) and ask someone what is the motivation behind the given DDoS attack. The most common answer is; ‘we have no idea.’
Sometimes they wouldn’t know that it was a DDoS extortion attack because they have been working with the customer to defend against the attacker, the customer would tell them for example, that they received an extortion, so that’s pretty easy to infer. And sometimes when there are very high profile geopolitical events taking place then targets natural prestige being attacked and more and more political enemies being involved in the dispute relatively easy to characterise.
Most of the time, ISP people say, ‘I don’t know’ and so we were actually quite surprised this year, in one sense, to see that the number one motivation was not ” unknown ” but was actually politically, ideologically motivated DDoS attacks.
But at the same time this tallies with our subjective experience working with ISP’s around the world over the last year. I can tell you that for me personally, probably half the attacks I worked on this year had a very clear political or ideological motivation. I just thought it was my own subjective experience but turns out that it is actually national trends that ISP’s are reporting worldwide.
And we think that it is extremely significant because it really changes the risk model that organisations have. Just as a lot of organisations have risk officers and look out for physical safety of their employees and their physical facilities and so forth and they take into account geopolitical controversies in their home countries, as well as countries where they do business, countries within their supply chain and where partners are located.
This now needs to be extended to the online world as well, because organisations are becoming a target simply because they’re viewed a prestigious organisation, the country where they’re head quartered or because of enemies against the supply chain partners or customers.
CC: It is interesting from a straight out denial of a service attack, that ideological motivation instead of financial or competitive or even the extortion attempts. Given that being the motivation for much of these DDoS attacks, how does that correlate with the size of the attacks when its getting up to 60GB and a general 10GB range. That would appear to be within the grasp of anyone operating on the internet given the right tools.
RD: Absolutely, that is a very astute comment, so what we’re seeing in most, not all cases, but in most cases, that the attackers typically tend to use the resources that are necessary to take down the target and they don’t generally engage in over kill. Now, there are exceptions to that and most of those exceptions where there is over kill actually tends takes place in DDoS attacks that are ideologically or politically motivated, but yes because of the nature of these attacks and the very large multi tentative attacks tend to be Domain Name System (DNS) reflection and amplification attacks or Simple Network Management System (SNMP) reflection and amplification attacks.
It takes a motivated attacker with a fair amount of skill, as well as, resources at its command in order to launch these attacks. So some of the politically and ideologically motivated DDoS attacks that we have seen are in that range. Conversely a lot of them are not, because its not really that kind of attack party that’s necessary to take out the target because the target is relatively brittle, fragile and may not have a lot in the way of defences.