There’s a striking disparity between how threatened service providers feel by potential DDoS attacks and how prepared they are to mitigate one, according to a Black Lotus survey. The findings demonstrate that while almost all participants (92 percent) have some form of DDoS protection in place, it is insufficient to stop an attack before damage is done.

Most respondents incurred increased operational expenses due to DDoS attacks, with more than 35 percent of the providers surveyed indicating that they are hit with one or more attacks weekly. The respondents represented companies of all sizes, from small to large.

The largest group represented in the survey was small companies of one to 999 employees worldwide (52 percent of all companies surveyed), with organizations of fewer than 250 employees (20 percent) as the largest subgroup.

Among the findings were:

  • 61 percent of providers feel that DDoS is a threat to their businesses.
  • Only 16 percent of the providers surveyed indicated that they had been rarely or never hit by a DDoS attack.
  • The top three industries with customers affected by DDoS attacks are managed hosting solutions (MHS), voice over IP (VoIP) and platform as a service (PaaS).
  • In case of a DDoS attack, 34 percent of the surveyed providers remove the targeted customer, and 52 percent temporarily null route or block the problem customer.
  • 64 percent of PaaS providers have been impacted by DDoS.
  • 56 percent of MHS providers have been impacted by DDoS.
  • 52 percent of infrastructure as a service (IaaS) providers have been impacted by DDoS.

“DDoS attacks lasting hours or even minutes can lead to loss of revenue and customers, making DDoS protection no longer a luxury, but a necessity,” said Shawn Marck, CSO of Black Lotus. “DDoS attacks will continue to grow in scale and severity thanks to increasingly powerful (and readily available) attack tools, the multiple points of Internet vulnerability and increased dependence on the Internet. Enterprises have to move from thinking of DDoS as a possibility, to treating it as an eventuality.”


One in five businesses surveyed believe that their online services should be protected against DDoS attacks by their IT service providers (in particular, network providers). However, this responsibility often falls on the shoulders of companies that come under attack, according to Kaspersky Lab.

On average, 28% of all businesses are of the opinion that protection against DDoS is not their concern. In fact, the survey shows that smaller companies take less responsibility for protecting their services against DDoS attacks.

40% of small businesses surveyed are confident that they are fully protected by network service or web hosting providers. Among large companies, less than 9% share this viewpoint. Only 9% of small and 2% of large companies rely on the police and the government.

At the same time 44% of respondents believe that their IT departments should protect them against DDoS attacks. 16% of those surveyed rely on their senior management, 8% on the security department, and 4% on the Risk Management Department. In total, only 72% of companies agreed that combating DDoS is their responsibility (50% of small businesses compared with almost 90% of large companies).

“By relying on IT services providers, many companies are putting themselves at risk”, said Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Lab. “Vendors do not usually offer this protection as a default option. Moreover, many providers are simply unable to provide reliable protection against DDoS attacks using their own resources because DDoS attacks are constantly getting bigger and more complex. Reliable protection can be only provided by companies that specialize in protection against cyberthreats and can offer highly efficient technologies and a team of qualified experts capable of constantly upgrading these technologies to meet an ever-evolving threat.”

Experience shows that almost any company, regardless of size, is a potential victim of a DDoS attack. According to the study, 28% of small businesses suffered a DDoS incident. Among large companies affected, this figure is slightly higher at 43% over the 12-month period. The experts also warn that an attack could cost more than $52,000, even for a small company.


Gary Newe, systems engineer, F5 Networks, recommends taking 10 decisive actions when you come under DDoS attack

The frequency and size of Distributed Denial of Service (DDoS) attacks is ever-growing and continues to be a priority issue for many businesses. With the ongoing work to shut-down or neutralise botnets, a cyber-arms race has started with hactivists and other cyber criminals constantly searching for new ways in which to amplify attacks. As a result, DDoS attacks are increasingly common.

As the lines between the professional and social use of technology continue to blur, it is vital that we start to really recognise the significance of these attacks, how likely they are and how damaging they can be.

Scary and stressful

For the first-time DDoS victim, these attacks can be scary and stressful ordeals. That’s not surprising; poor network performance and website downtime can be massively costly for businesses, both in lost sales and consumer trust. It’s not all bad news though, as there are some steps that can be taken to mitigate the impact. Here, Gary Newe, systems engineer at F5 Networks , give his recommendations on action to take, should you experience an attack:

1. Verify that there is an attack – Rule out common causes of an outage, such as DNS misconfiguration, upstream routing issues and human error.

2. Contact your team leads – Gather the operations and applications team leads need to verify which areas are being attacked and to officially confirm the attack. Make sure everyone agrees on which areas are affected.

3. Triage your applications – Make triage decisions to keep your high-value apps alive. When you’re under an intense DDoS attack and you have limited resources, focus on protecting revenue generators.

4. Protect remote users – Keep your business running: Whitelist the IP addresses of trusted remote users that require access and mainlist this list. Populate the list throughout the network and with service providers as needed.

5. Classify the attack – What type of attach is it: Volumetric? Slow and low? Your service provider will tell you if the attack is solely volumetric and may already have taken remediation steps.

6. Evaluate source address mitigation options – For advanced attack vectors your service provider can’t mitigate/ determine the number of sources. Block small lists of attacking IP addresses at your firewall. Block larger attacks with geolocation.7. Mitigate application layer attacks – Identify the malicious traffic and whether it’s generated by a known attack tool. Specific application-layer attacks can be mitigated on a case-by-case basis with distinct countermeasures, which may be provided by your existing solutions.

8. Leverage your security perimeter – Still experiencing issues? You could be confronting an asymmetric layer 7 DDoS flood. Focus on your application-level defences: login walls, human detection, or Real Browser Enforcement.

9. Constrain Resources – If previous steps fail, simply constraining resources, like rate and connection limit is a last resort – it can turn away both good and bad traffic. Instead, you may want to disable or blackhole an application.

10. Manage public relations – If the attack becomes public, prepare a statement and notify internal staff. If industry policies allow it, be forthright and admit you’re being attacked. If not, cite technical challenges and advise staff to direct all inquiries to the PR manager.
It’s an unfortunate fact that the DDoS threat has never been greater and is likely to continue to grow. As ever, the best protection is to be prepared for whatever will get thrown at you and DDoS mitigation should be part of your preparation. It’s important to consider if your network is up to scratch to cope with unexpected loads and if it has the intelligence to identify legitimate traffic during peaks, before an attack hits.


In the final quarter of 2014, the size of distributed denial-of-service (DDoS) attacks mitigated by Verisign had an average peak size of 7.39 Gbps, marking a 14 percent increase over the third quarter of 2014 (6.46 Gbps) and a 245 percent increase over the final quarter of 2013 (2.14 Gbps).

Those findings are a part of the ‘Verisign Distributed Denial-of-Service Trends Report’ for the fourth quarter of 2014, which includes observations on DDoS activity for the period beginning Oct. 1, 2014 and ending Dec. 31, 2014.

“In all, 42 percent of attacks leveraged more than 1 Gbps of attack traffic, which even today remains a significant amount of bandwidth for any network-dependent organization to over-provision for DDoS attacks,” the report revealed, adding 17 percent of attacks leveraged more than 10 Gbps of DDoS traffic.

In the fourth quarter of 2014, UDP amplification attacks leveraging Network Time Protocol (NTP) continued to be the most common DDoS attack vector, but Simple Service Discovery Protocol (SSDP) also continues to be exploited in amplification attacks, according to Verisign’s research.

For NTP amplification attacks, the report stated that “the solution can be as easy as restricting or rate-limiting NTP ports inbound/outbound to only the authenticated/known hosts.” With SSDP-based attacks, “SSDP implementations [for most organizations] do not need to be open to the Internet.”

Which industry was hit hardest by DDoS attacks in the fourth quarter of 2014?

Verisign saw IT services/cloud/Software as a Service (SaaS) customers experiencing the largest volume of attacks, with one customer experiencing the largest volumetric UDP-based DDoS attack in the final quarter of 2014, the report indicated.

“This was primarily an NTP reflection attack targeting port 443 and peaking at 60 Gbps and 16 Mpps,” the report states. “The attack persisted at the 60 Gbps rate for more than 24 hours, and serves as another example of how botnet capacity and attack sustainability can be more than some organizations can manage themselves.”

The media and entertainment industry was also a big target. One customer experienced the largest TCP-based attack – a SYN flood – of the quarter, according to the report, which explains that the attack targeted a custom gaming port and peaked at 55 Gbps and 60 Mpps.

Altogether, 33 percent of Verisign DDoS mitigations were for IT services/cloud/SaaS customers, 23 percent were for media and entertainment customers, 15 percent were for financial customers, 15 percent were for public sector customers, eight percent were for ecommerce/online advertising customers, and six percent were for telecommunications customers.

Public sector customers experienced the largest increase in attacks in quarter four of 2014, the report notes.

“Verisign believes the steep increase in the number of DDoS attacks levied at the public sector may be attributed to attackers’ increased use of DDoS attacks as tactics for politically motivated activism, or hacktivism, against various international governing organizations, and in reaction to various well-publicized events throughout the quarter, including protests in Hong Kong and Ferguson, MO,” the report states.


The hacker collective that took responsibility for a series of distributed denial-of-service (DDoS) attacks over the Christmas holiday against gaming networks claims to have struck again.

Lizard Squad has reportedly launched new attacks over this past holiday weekend on gaming services which include Xbox Live and possibly Daybreak Games, previously known as Sony Online Entertainment, according to The Guardian.

The group took to its Twitter account to announce the attacks, posting on Monday morning that its next target would be Xbox Live, later tweeting “Xbox (360) Live #offline.” While Microsoft has yet to comment on the incident, gamers were reportedly logging problems associated with the disruption.

The hacker group took responsibility for knocking Xbox Live and the Playstation Network offline on Christmas day, leaving gamers without service for days. Following that event, the FBI launched an investigation against the group.