The significant increase is a direct result of the misuse of information for marketing purposes. While the method that was used to take down Spamhaus was fairly well known and had been around for awhile, media attention was purposefully exploited by CloudFlare for its own gain. This exposed this type of attack to a much wider audience. It basically laid out the blueprints and also broadcast how massive the DDoS could be if done right and with the proper resources.
Most of the time, people who DDoS have no idea how large a reaction they are generating. They are merely trying to achieve their goal of taking down the target. Well, CloudFlare publicized the size of this attack on a daily basis and it enlightened a lot of new crowd to the method. Although it is believed that the CloudFlare final number of 300Gb/s was quite padded and that the real number was more believably around 100Gb/s, this was still a massive amount of bandwidth. As a result, tools popped up all over the place for scanning host machines to add to your database along with tools to execute the attack. This made the process so simple that a 10 year old with Windows had the ability to point and click and in seconds, generate a few Gb/s of UDP traffic.
The unfortunate truth is that EVERYONE is at risk. Sometimes people get attacked and they have no idea why! The source is often someone who doesn't like one’s business, perhaps a competitor or someone trying to extort money.
How important is intelligence gathering when it comes to mitigating the effects of a massive DDoS attack? What type of information are you looking for?
It is extremely important for the entire online community. Mitigating the attack only stops the attack from hurting one specific target, but if you can find the information that will lead to the C&C, this can be reported to several “white hat” groups who volunteer their time into dismantling these botnets so they cannot attack anyone else. It is also important to figure out who the attacker is, in the event that criminal prosecution can be pursued.
What are some of the lessons that you've learned when you mitigated large DDoS attacks impacting your clients?
I learned quickly that no attack is the same. There is no “one size fits all” device out there that will stop every attack. To be responsible, a person needs to have many different tools in his or her arsenal, sometimes used together along with some manual work, to stop some of the more intelligent attacks.
Never assume that you have seen an attack as big as it would ever get. But also, it is worth noting that size isn't everything. It can actually be the smaller attacks, the ones which look quite similar to normal traffic, which are the hardest to stop.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.