Preventing DDoS armageddon

Storm warning

A recent blog by Carlos Morales, vice president of global sales engineering and operations at Arbor Networks , discussed the likelihood of a "DDoS Armageddon" attack.

Morales asked how big an attack would have to be to take down even the most prepared service provider, and suggested that Armageddon-style attacks of that magnitude could be on the horizon.

In the post, Morales addressed the metrics such as how to measure a DDoS attack in bandwidth and packet terms as well as detailing how Arbor's ATLAS system has seen attacks as high as 101.4 Gbps (bandwidth) and 139.7 Mpps (packets).

Attacks of that magnitude would have a profound effect on the internet as a whole.

It should come as no surprise there have been DDoS attacks capable of overwhelming an average 10 Gbps datacentre for many years now. An Armageddon attack, however, is defined as one that can take down the host target provider, as well as all of the other providers in between.

Morales argued that a 1 million host botnet could theoretically generate a DDoS attack in the region of 1 Tbps.

"Attacks of that magnitude would have a profound effect on the internet as a whole, exploiting bottlenecks in many places simultaneously," Morales said.

"No single service provider, even the largest tier ones, would be able to handle all this traffic without adversely affecting their user base."

But what do other security experts have to say about the likelihood of a

"DDoS Armageddon" and what businesses can do to prepare themselves for this? IT Pro has been finding out.

Expert security

Professor John Walker, chair of London chapter ISACA Security Advisory Group, said DDoS attacks are costing companies dearly, in terms of downtime, operability and ransom payments, if firms decide to try and pay off their attackers.

"During a high value window of operations, even the threat of a DDoS attack will send shivers down the spine of most online trading organisations, with a 30,000 payout [for example] being a drop in the ocean compared to the potential lost revenue," said Walker.

"For the ill-prepared and unimaginative CISO, the pay-off option may prove to be the most painless, [although] you can be sure to bet on one certainty once you have traded with criminality the likelihood is they, or some other like minded group, will add you name to their address book for a future visit."

Over the last 12 months, the School of Science and Technology at Nottingham Trent University have been running a research project to monitor DDoS attack patterns across the globe, revealed Walker.

"China is considered an aggressor, they also enjoy aggressive focus on their own logical boarders, sustaining high volume attack conditions each and every day," he said.

"And by inference, it was also evidenced on occasions where some physical events have occurred against a certain area, as with Hurricane Sandy, that the weakened state of a target offers the opportunity to leverage a heightened condition of cyber attacks in the form of a DDoS.

"It has also been noted that, as peak trading periods get closer, there is also a window of opportunity in which to ramp up the levels of DDoS attacks."

People's reliance on e-commerce sites and social media have also made many sites legitimate and high-value targets to DDoS attackers, said Walker.

"We have got used to migrating everything online where we are able to make available product, solution or service. However, this route to cost reduction, flexibility, and ease of use, also arrived with the baggage of criminal intent.

While it is in the business interest to enjoy the privilege of delivering online access to the designated client base, there are others who see this as an illicit opportunity to raise revenue, and as such the expectation should be for things to get much, much worse, until they get better.

"And we as the Community of Information Security Professionals need to start to work in a cross-domain imaginative, and collaborative mode to get ourselves back on the front foot," concluded Walker.

Amichai Shulman, chief technology officer and co-founder of Imperva, said the cost of staging an Armageddon-style DDoS attack could put off some would-be protagonists.

However, application layer attacks could become an important tool for hackactivists intent on carrying them out.

"These attacks achieve service interruption of large targets with a far smaller network footprint of volumetric attacks," explained Shulman.

"Application layer attacks abuse the inherent processing requirements of [an] attacked application in order to disrupt service of normal users.

"These attacks are becoming more prominent and even companies that have better visibility to volumetric attacks rather than application attacks are able to see an increase in [their] usage."

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at