Over the past couple of years, DDoS attacks haven't just become more sophisticated -- they've gone mainstream to the point that attackers aren't shy about using them brazenly in the name of social and political activism. Perpetrators rarely face any form of punishment, and it doesn't help that some judges have deemed the practice legal.
"It's no longer hidden. It's very, very public, it's well known," said Neal Quinn, VP of operations at Prolexic, a company that specializes in mitigating DDoS attacks. "And I'm not just talking about the Anonymous group, but all manner of people who openly use DDoS to make their point. It's mainstream. It's the most striking change over the last 18 to 24 months."
DDoS attacks have always been more difficult to prevent than other sorts of attacks. For one, most DDoS attacks don't take advantage of a poorly coded vulnerability; they are simply exhausting resources. Each year, I have several friends who have their sites or services taken down for at least several days as they battle DDoS attacks. Only one of those attacks ever resulted in a conviction.
Contributing to the public acceptance -- or at least tolerance -- of DDoS attack is the fact that many segments of our society support them for social and political reasons, according to Quinn. Political action groups often meet in public forums, discuss targets, announce their plans to the press, then attack. In some cases, target organizations become bigger scapegoats when they try to take legal action against the offenders, as opposed to quietly enduring the attacks.
Technologically speaking, DDoS attacks continue to grow larger and larger. It used to be that 1Gbps attacks were considered huge. Quinn said his company routinely sees attacks above 20Gbps.
But the most difficult challenge has been DDoS attackers' increasing sophistication as they've moved from targeting Layers 3 and 4 (routing and transport) to Layer 7 (the application layer). They've learned, for example, how to determine which elements comprise a victim's most popular Web page, honing in on which ones take the most time to load and have the least amount of redundancy.
"Attackers are now spending a much longer period of time researching their targets and the applications they are running, trying to figure out where they can cause the most pain with a particular application," Quinn said. "For example, they may do reconnaissance to figure out what URL post will cause the most resource-consuming Web page refresh."