Companies using web hosting services expect high availability and lightning-fast performance for their online applications. That’s why hosting providers should be concerned about the rapidly growing Distributed Denial of Service (DDoS) threat. Driven by commercial, political and other motives, today’s DDoS attacks use computers distributed across the Internet to clog a network connection or overload server resources until the targeted website becomes unavailable for service.
What makes DDoS attacks particularly thorny for hosting providers is that multiple clients share resources and Internet connections. This means that a DDoS attack preventing users from accessing one hosted site can cause performance degradation and even downtime to other “innocent” sites and services being run out of that same data center.
To learn more about defending your hosting business against harmful DDoS attacks, download this WHIR white paper.
The Financial Impact of a DDoS Attack
The impact of a DDoS attack on an online business is clear: every minute of downtime means a loss of revenue. To quantify this impact, Incapsula commissioned a survey of 270 North American companies of various sizes.
The findings showed that some 45 percent had been hit at least once by a DDoS attack. The average cost of a DDoS attack is $40,000 dollars per hour, while nearly half of all DDoS attacks last between 6 to 24 hours. And that’s just the impact on the targeted business. What about the other hosting clients sharing the gateway that is being flooded by the DDoS attack? Hosting providers have an obligation to them as well.
DDoS Botnets on the Rise
Most DDoS attacks make use of botnets, which are a network of bots (“zombies”) that can be commanded as a group to launch DDoS attacks. As published in our 2013-2014 DDoS Threat Landscape Report, we recorded an average of 12+ million unique DDoS sessions per week in early 2014, representing a 240 percent increase over the same period in 2013.
DDoS attacks come in two flavors. High-volume network (Layer 3 & 4) attacks, such as SYN floods and DNS amplification, often exceed 200 Gbps. Application (Layer 7) attacks, on the other hand, are much leaner, since even 50-100 requests per second to a resource-heavy asset are enough to overload the typical mid-sized application server.
Regardless of the flavor, what is common to all types of DDoS attacks is that they are executed via botnets comprised of hijacked devices (computers, servers, etc.). Hackers typically compromise these machines by taking advantage of logic or security vulnerabilities, enabling them to gain full control of these resources for use in DDoS attacks.
Mega Vulnerabilities Help Accelerate Botnet Expansion
During 2014 a number of mega vulnerabilities were discovered. Unlike most vulnerabilities that are specific to a particular OS, browser or software application, this type of vulnerability (e.g., Heartbleed and Poodle) relates to the core Internet infrastructure (e.g., SSL and Linux devices).
Due to the huge number of systems affected worldwide by these vulnerabilities, their appeal to hackers is almost irresistible. Even after these vulnerabilities are patched, persistent hackers are likely to find plenty of under-maintained servers they can exploit. In this way, mega vulnerabilities fuel and accelerate the expansion of malicious botnets.
This new dynamic can be seen in the recent Shellshock mega vulnerability, discovered in Bash (the most common command-line shell used in Linux/Unix systems). Once exploited, this vulnerability allows attackers to completely take over the server, making it an available resource for executing DDoS attacks.
Following Shellshock’s discovery and the release of a patch, Incapsula saw exploit attempts increase from around 400 offending IPs at zero day to over 15,000 four weeks after discovery. Most of these were attempts by hackers to hijack vulnerable Linux and Unix servers.
What to Look for in 2015
The endless chess game between savvy adversaries and security teams will continue in 2015. DDoS attacks will keep growing in size and sophistication, while at the same time more mega vulnerabilities will be discovered by security researchers. The almost inevitable result will be an increase in the exploitation of mega vulnerabilities to build botnets and carry out DDoS attacks.
Similarly, we expect that open website platforms (e.g., Drupal, WordPress, etc.) will also be prime targets for hackers, who can exploit security holes in these platforms to steal data or to launch DDoS attacks as part of a botnet.
While DDoS attacks threaten the core of the hosting business, they also represent a new business opportunity for providers. Most clients need much more than “pure” web hosting – this includes security, storage, backup, etc. By offering them DDoS mitigation services, hosting providers can meet clients’ needs for high availability and performance, while increasing revenues and enhancing their service portfolio.
About the Author
Marc Gaffan is CEO and co-founder of Incapsula. Marc has extensive experience in leading product marketing and management activities at leading security companies. Prior to founding Incapsula, he was Director of Product Marketing at RSA, EMC’s security division, where he was responsible for strategy and go to market activities of a $500M IT Security product portfolio. Before that, Marc was the Director of Marketing for the Consumer Solutions Business Unit at RSA. While at RSA, he appeared before the US Congress, FDIC and Federal Trade Commission on cyber security and identity theft topics. Marc holds a B.A. in Computer Science and Economics from Tel Aviv University and an M.B.A. from Recanati Graduate School of Business Administration.