8.3. Who Are the Victims of DDoS?

If we start with the premise that DDoS attacks are actually two-phased attacks first breaking into thousands of computers and installing malware on them to use for attacking, and then using them to wage one or more DDoS attacks then it follows that a significant amount of damage is actually spread out over a very large number of sites, in many jurisdictions, and over an extended time period. And that is before any DDoS flooding even takes place. Arguably, there may be more damage in aggregate from the cleanup of all the DDoS handlers and agents than is suffered by smaller DDoS victims, but there have certainly been DDoS attacks against large sites with high income from advertisers who may suffer multimillion-dollar losses from attacks that last only a few hours to a few days.

Not only are damages spread out, but so is the evidence necessary to attribute the attack to a specific individual or group and pursue criminal prosecution or civil remedies. As described in Chapters 5 and 7, traceback can be difficult, if not practically impossible. The network traffic associated with the attack that proves what tool was used, how the DDoS network was controlled, and who did it, is spread out and highly volatile. Once the DDoS network ceases to function, there is no more network traffic nothing left to capture.

The quality of incident response by all parties involved can and does affect the overall investigation, yet the distributed nature of DDoS attacks may mean that these parties are in different countries, with different languages, time zones, and entirely different legal systems. Victims whose systems were used as handlers and agents may simply "wipe and reinstall" the operating system and applications, destroying evidence in the process. Network providers at those sites, or the DDoS flooding victim site, may not focus at all on capturing network traffic, instead only acting to stabilize the network. In doing this, they fail to capture highly important evidence at the only time it may be present. In cases of extortion, it may be easier to follow the money than to follow the packets. (This is touched on by Lipson [Lip02].)

In the past few years, victims of the second phase of DDoS attacks (the flooding) have included:

• Internet Relay Chat (IRC) networks.

• Web sites associated with government agencies, such as the NSA, FBI, NASA, Department of Justice, and the Port of Houston in Texas.

• Web sites associated with news organizations, such as Al-Jazeera, CNN, and the New York Times.

• Terrorist-related Web sites.

• Web sites associated with opposing sides in political conflicts (e.g., Arab/Israeli, Indian/Pakistani, U.S./China).

• Web hosting sites, such as Rackspace.com and Rackshack.com.

• Online gambling or pornography sites.

• Anti-spam sites.

• Major telecommunication providers or ISPs, such as British Telecom, Telstra, and iHug.

• Major online businesses, such as Microsoft, Amazon, eBay, SCO, and Akamai.

The motivations for DDoS attacks are varied, including: simple pranks; grudges for perceived personal slights or denigration; making a political statement; exhibiting rage; for personal aggrandizement within peer groups; attempting to gain financial advantage in betting or auction scenarios; extorting money.

It is not easy to generalize about why someone would be attacked, but it is usually not hard to find reasons why someone may wish to bring harm to your organization. It then takes only sufficient technical skill, or the ability to engage (perhaps by hiring) someone who does have these skills. It is believed by many that it is only a matter of time before a terrorist organization or nation-state actor will use DDoS attacks for some political or military objective, perhaps directing the attacks against the critical infrastructures that support the United States economy. It would be unwise to believe that your site is entirely immune from being attacked, and this possibility should be weighed appropriately in your risk assessment, your continuity of operations policies and procedures, and your insurance portfolio.