Everyone’s talking about DDoS: Part Two

In Information Security ByTeam Acumin / 2nd July 2012

Contradictions are good, they’re very human, a sort of nod to duality. With night comes day, with heat comes the cold, with the Force comes the Dark Side.

While we began the first half of this feature sounding off about excessiveness – with good reason we hasten to add – we are, through being involved in the conversation about DDoS an example of what we call legitimate over-abundance. In this case, lots of eager banter about DDoS is a good thing.

We left you on a quasi-cliffhanger, which was deliberate. Some wise person once said you should never go to sleep having not ended an argument, but our precipitous subject matter was more a volley of information into your court to sleep on, after which, you kindly smashed it back, with shrewd insight no doubt.

Now, while the legality of DDoS might be something that a small band of ethically-minded people perceives to be sound, it is, in today’s wisdom, anything but. It’s illegal and carries with it serious punishments. That’s because DDoS attacks can damage big corporations and government.

Ryan Cleary and Jake Davis have recently admitted attacking both the Serious Organised Crime Agency in the UK and the CIA in the US, as well as running DDoS attacks against well-known brands like 20th Century Fox, Sony, News International and Nintendo to name but a few.

The reasons such organisations have responded severely is that they recognise that DDoS attacks are more than just a nuisance. As we shift to operating more and more of our lives online, such attacks have the power to seriously disrupt the way society functions.

If they can bring down a government website, who’s to say they can’t do the same to the NHS website, where, in the hypothetical future, patients may end up with essential medicine?

According to Vic Mankotia, security vice president of CA Technologies for Asia-Pacific and Japan, DDoS attacks are becoming more sophisticated and consequently damaging.

For example, the fact that some DDoS attacks originate from automated systems with “payloads delivered from USB sticks and protocols such as Bluetooth and magnetic strips of cards” reveal a new era in this criminal activity, he told ZDNet Asia.

It’s hard to keep up with changes, that much is true. Sometimes, it has to be said, businesses themselves are at fault. Don’t get us wrong, we’re not condoning the activities, everyone hit by a DDoS attack is a victim, but companies could be better off if they beef up their security.

In a fascinating article for Wired recently, one that concentrated principally about the lack of insurance cover for DDoS attacks, Miguel Ramos, a senior security consultant at Neustar, took us briefly back to the not so distant past.

“Think back to your history classes and ponder the Maginot Line, the pre-World War II French military fortifications. Hailed as a brilliant innovation and utterly impregnable, the line was quickly outflanked by a cunning and determined foe,” he observed.

“This is not too dissimilar to the way many businesses defend against DDoS attacks. It’s not uncommon to hear, ‘No problem, we’ve got it covered.’ But with what?”

He cited the example of the “woeful” weaknesses demonstrated earlier this year when such an attack on the DNS server of the British Home Office achieved the goal every hactivist aspires to: Garnering global attention through strategic targeting to raise awareness for its cause.”

Such things to bring the matter to the public arena, hence this extended feature. We commend organisations like Check Point for developing tools to fight this battle; we even welcome the chutzpah of D66, for helping us come up with answers as to why DDoS should remain illegal.

Now, enough words have been written, that much is true, so, we put an end to abundance, and leave the thinking to you.