This is page 2 of:
DDoS Attackers Switch Gears: Hit The Router, Not The Web Server
And unfortunately, it’s the attackers who get to pick the game, which always involves networks of malware-infected PCs, more than 70 percent of which are located in China, India or Turkey. (Filling out the big-botnet list: Pakistan, Venezuela, Indonesia, Mexico, Egypt and Korea. Large numbers of attacks also come from the U.S., Vietnam, Thailand and Brazil.)
Nor is it especially difficult for anyone who wants to send a DDoS flood in the direction of a retailer, whether for commercial, political or other reasons. Want to launch an attack? Hire a botnet, and keep hiring more attack capacity until you can see that your target can’t handle the load any longer.
Last year, that worked fine with relatively simple floods of HTTP commands, which is what most attacks used. Then retailers and other sites improved their ability to swat away those attacks. The result: This year, more than 80 percent of the attacks are using those lower-layer packets, which have to be handled by routers and actually require fewer packets to get the same unpleasant result (and are aimed at where the current defenses aren’t).
Yes, it is an arms race—one in which you’re almost never sure when an attack will come, or from where. (Last year’s WikiLeaks attacks at least had the virtue that Visa, MasterCard and Amazon knew who the attacks were coming from. Some were even announced in advance.)
But in practice, most attacks are hard to predict for timing, relatively cheap to launch and expensive to defend against. Because defense requires lots of networking hardware, there’s really no way to finesse the problem of an attack. When it comes, you either need to buy or rent a major defensive perimeter or you’ll go down. The rest of that time, you’ve got an expensive Maginot Line that almost no one is trying to get past.
And like the real Maginot Line, you can be pretty sure that eventually the bad guys will go around it, not through it.
Still, there’s one advantage to the financial misery involved in dealing with DDoS attacks. Most effective IT security spending is almost impossible to cost justify. If it’s implemented correctly and it really does what it should, your only evidence it was worth the expense is all the attacks that don’t come. That’s a tough sell at budget time.
At least when you’re hit with a DDoS attack, you’ll know. Boy, will you know.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
