Distributed Denial of Service attacks have one goal, to make their target unavailable to its users.
And there are certainly a number of different ways these attacks can be carried out. Some of the more common DDoS techniques used by attackers include the use of malware to infect computers used to attack their target from a variety of different sources.
One of the most well known examples of a Distributed Denial of Service attack is the infamous MyDoom worm that was sent by email spammers and infected the recipient’s computers. The malware targeted domains with a flood of traffic at a predetermined date and time to bring the site down as it could not handle the flood of incoming connections.
More commonly, DDoS attack make use of botnets where computers are turned into zombies, after being infected with malware, and are controlled by a central computer. These botnets can then be used to launch the attack against a target of the attacker’s choosing.
The numbers inside and attack
But just what does it take to launch a successful DDoS attack? How many computers does an attacker use? How much bandwidth to they need to consume? What is the number of connections it takes to successfully bring a web application down?
A recent attack gives us a look into these numbers.
While it was not the largest DDoS attack ever launched against a website or web application, a recent week long attack against an Asian e-commerce company in early November was the largest attack in 2011.
So just what does it take to bring down an e-commerce platform? Let’s take a look:
250,000 zombie computers coming from a variety of botnets.
This is an estimated number based on similar attacks in the past and on the amount of traffic and connections that were used to disable the e-commerce platform that was targeted.
The number of computers used in previous attacks were easier to estimate as often times, one large botnet was used in the attack. However since large botnets like Rustock and Cutwail were taken down cybercriminals have gotten wise to larger botnets attracting too much attention so the trend it to use smaller botnets, under 50,000 infected computers, and combining them to launch large scale attacks.
45 Gigabytes per second.
At its peak, this DDoS attack flooded the company’s site with up to 45 Gbps. To accomplish this, the botnets’ zombie computers sent an average of 69 million packets per second.
While this number is rather disturbing for a network engineer, it isn’t the worst consumption of bandwidth ever used in a DDoS attack. In 2010 the 100 Gbps threshold was broken. If this doesn’t seem overly threatening, consider the fact that 100 Gbps used in a DDoS attack shows an 102% increase of bandwidth consumed by these threats over the course of one year and a 1000% increase in bandwidth use since 2005.
Yet while the bandwidth consumed in the largest attack of 2011 is significantly lower than that of the previous year’s attack it doesn’t mean that the scope of the problem is decreasing. In fact, the 2011 attack was much more complex as six different attack signatures were used to attack Layer 3, the network layer, and the application Layer, 7. The sophistication of this dual layered attack required less bandwidth to do just as much damage.
15,000 connections per second.
15,000 connections equals that many people trying to connect to a web site, or web application. Not even the most naive, or aggressive, company would think that they had that many people trying to connect to their e-commerce platform every second.
This equals 1,296,000,000 connections in a 24 hour period. That much activity can bring some pretty impressive devices to their knees.
So far, the name of the company has not been released due to confidentiality agreements. The reason for the attack also remains unclear. Insiders do believe, however, that the attack was launched by a disgruntled user or a competitor looking to gain an edge in the marketplace using industrial sabotage. Regardless of the reason it is clear that the scale and sophistication of DDoS threats continues to grow. In cases like these above it’s always best to have the best DDoS protection.