Ten years ago, on 14 February 2000, DDoS or distributed denial-of-service attacks – which attempt to cause disruption to an online service or application – knocked a number of high profile websites leaving them offline for several hours, including a well known auction site, the website of a global news channel and an internationally recognized online retail site.

Fast forward a decade and DDoS attacks have evolved to be more sophisticated, more prevalent and more dangerous than ever. Most recently, the website of a prominent Russian newspaper was targeted causing major disruption for the publication and its readers.

Botnets are a key player in DDoS attacks. Right now, we know that the most prominent spam-sending botnets control over five million active PCs.  The actual number of botnets in existence is likely to be much higher as an infected bot only becomes visible when it is active – in other words spewing out spam or pummelling a site with a distributed denial of service attack.

However, most DDoS attacks are used against websites in order to saturate its capacity and prevent legitimate users from visiting the websites, when in truth it can be a lot more sophisticated than that. DDoS attackers don’t care how they are able to hit mail servers, they will use a number of tactics to reach as many businesses as they can. Dictionary attacks are a popular way of doing this, for instance, when a business’s email domain is targeted with thousands or sometimes millions of randomly generated email address.

The spammers create seemingly valid email addresses by combining first and last names from dictionaries. In doing this, only a very small proportion is likely to match genuine emails address at the organization. Attackers don’t care how big or small an organization is, so for a small company, this can become a silent killer for their email system.

There are concerns that, in the future, botnets will become increasingly self-sufficient which could make them even more efficient at propagating DDoS attacks. With the 2008 takedown of McColo, an ISP based in California, a significant drop in global spam volumes followed, by as much as 80 percent. However, less than two weeks after this ‘significant blow’, active spam-sending botnets started to make a speedy recovery.

Since McColo, botnets have changed. Savvy botnet owners are now building in business continuity plans to ensure their networks are self sufficient, robust and less prone to disruption. Clearly, attackers have learned the importance of having a proper backup strategy for their command and control channels.

Semi-automated networks mean that cybercriminals are now free to pursue new business opportunities while targeted DDoS attacks take down critical online applications and services on their own.
Any organization with an online presence needs to take action now to protect itself from these types of attacks.


By Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services