Technology usually evolves as an answer to a problem. Take email protection, for example. In the early 1990s, most companies were just beginning to adopt email as a serious communication tool. Yet, within five years, nuisance email had become prevalent enough to earn the name “spam,” and by 2003, had prompted anti-spam legislation in the U.S. In spite of its history as a major distribution vehicle for security vulnerabilities, email is considered an essential business tool today — primarily because email security is one of the most mature solutions on the market.
As the spam phenomenon demonstrates, the evolution from technology problem to technology solution follows predictable stages: 1) at first there isn't a problem at all (or, at least, it's not perceived); 2) the problem affects a narrow group of “victims;” 3) the problem quickly grows in scope and scale, grabbing media attention; 4) the problem is pervasive, leaving virtually no organization or individual untouched; 5) solutions finally emerge.
Distributed denial-of-service (DDoS) attacks — which render websites inaccessible by inundating them with illegitimate traffic — are following much the same progression that email and spam did years ago.
In the late 1990s, DDoS attacks were far less prevalent, in part, because the internet had only 313,000 hosts. By 2000, that number had grown to 73 million hosts. It wasn't until then, when online assaults were launched against web giants Yahoo!, Amazon, and eBay that DDoS attacks gained widespread attention and became more frequent.
Even after these attacks, most companies were stuck in “stage two” thinking, not seeing themselves as high-value targets. Instead, they believed only high-profile corporations, e-commerce sites, banks, and financial institutions got attacked. Only hackers had the sophisticated knowledge to launch such attacks, which were difficult and expensive to pull off. Why would they waste their time and resources on the little guy?
By 2013, the DDoS landscape changed dramatically as the internet skyrocketed worldwide with 1 billion hosts and 2.8 billion users. Today, virtually every company in the world is on the web, and the Internet is pervasive in our lives, thanks to mobile devices and online services of every kind.
While these changes can be viewed positively, they also have created new vulnerabilities. Today, the tools and resources needed to launch a DDoS attack are incredibly cheap, easy to use, and readily available on the internet — to anyone. Attackers no longer fit the “evil genius” stereotype. In fact, they're decidedly unsophisticated. Even a bored, 12-year-old who stumbles across a DDoS tutorial on YouTube can pull off an attack.
In addition, social media — which was virtually unavailable even five years ago in some countries — provides a free, easily accessible, worldwide platform through which “hacktivists” can stir up supporters, incite rebellion, and recruit resources in a matter of minutes.
Not surprisingly, these changes have shifted the motivation behind attacks. Yesterday's hackers were driven purely by ego, launching attacks simply because they could. Today, some attackers are motivated by social, religious, or geopolitical causes; others by malice, revenge, or financial gain. Anyone who has a gripe against a company or deems it “guilty by association” can launch an attack.
One thing that's certain: the internet's ubiquity has enormously broadened the “attack surface.” Every organization with a website is free game for attackers now. Take, for example, the company that became the victim of a “stupid criminal” DDoS attack simply because the attacker, who intended to hit another site, misspelled the company name (How do you build that into your risk profile?). Popular SaaS and web-based apps for which availability is critical are particularly vulnerable, too. It's just a matter time before such applications are brought down.
Back to our premise about how technology solutions evolve. Where DDoS is concerned in 2014, we have arguably entered stage four: pervasive, leaving virtually no organization untouched. Some would say we desperately need to be moving into stage five: solutions finally emerge. But, for every new technology, the unique vulnerabilities must first be identified. Remember when mail relays weren't locked down by default? Plugging that vulnerability was just one of many services that secure mail gateway solutions addressed.
Vendors are taking the same approach to solve DDoS issues, identifying the flaws and vulnerabilities in various protocols to prevent their exploitation. In fact, the need to lock down DNS resolvers to prevent amplification attacks sounds strikingly similar to the problem with mail relays, doesn't it? Eventually everyone will need a DNS firewall to prevent open resolvers. And that's just one of many examples.
As new solutions emerge, it's critical for organizations to protect themselves by being informed, aware, and acting whenever possible. Those that don't take action, believing themselves to be invulnerable, are playing a very dangerous game.