LONDON/JOHANNESBURG (Reuters) - Organizations can protect themselves to some degree against cyber attacks like the ones WikiLeaks supporters have carried out against Visa and Mastercard but it’s a costly and constant race against time.
Most companies have no protection at all against distributed denial-of-service (DDoS) attacks, which put computer servers out of action by overwhelming them with requests — and most will never become targets.
But for those who are attacked, the consequences can be huge — the loss of a single day’s pre-Christmas sales could easily cost hundreds of millions of dollars for an online retail giant like Amazon, which has been targeted by activists this week.
The activists, a loose Internet grouping calling themselves Anonymous, failed to attract enough firepower this time to bring down Amazon — one of the world’s biggest web-hosting providers as well as a retailer — but have not given up.
They are enraged at the efforts of mostly U.S.-based Organizations to disrupt the online activities of WikiLeaks, which has sparked fury in the United States by releasing a torrent of confidential U.S. diplomatic cables.
Mikko Hypponen, chief research officer of Finnish software security firm F-Secure, says even the biggest and best-protected companies can be vulnerable.
“If an attack is large enough, anything can be taken down. Even Google itself went down under a DDoS attack caused by a Mydoom worm variant couple of years ago,” he says.
Commercial offerings do exist to minimize the effects of DDoS attacks — provided by the likes of Prolexic, Akamai or Verisign.
These intercept and analyze traffic to a site and divert it if it appears suspicious, for example, if a user seems to be visiting a site 100 times per second.
“This is only for people who are under heavy attacks. You can do it but it costs a lot of computation,” says Michiel Leenaars, strategy director at Internet technology fund NLnet.
“A denial-of-service attack is asymmetric because the person on the other side has to do a lot more work than you, which makes it easy to flood him, because otherwise it would be very hard to take down these websites because they’re very big.”
Alternatively, owners of websites who fear attack can increase their capacity, outsource work to hosting companies or change their server architecture to distribute incoming traffic more efficiently, to avoid being overwhelmed so easily.
The question is simply one of cost and risk assessment, says Sarb Sembhi, chairman of the security advisory group of ISACA, a non-profit global association that advises companies on information technology.
“These companies that are being attacked are being attacked for a reason, which is that the attackers are taking what they believe is revenge. The chances of you or me getting involved in this are slim,” he says.
Nonetheless, the use of DDoS attacks as a method of protest — rather than by criminals for financial gain — is on the rise, and ordinary people can take part by downloading a piece of software from the Internet.
According to leading open-source software distributor SourceForge, the piece of software — known as a low orbit ion cannon — has been downloaded more than 50,000 times, with 20 percent of the downloads to the United States.
“Anonymous is not a group of hackers. We are average Internet citizens ourselves and our motivation is a collective sense of being fed up with all the minor and major injustices we witness every day,” the group said in a statement on Friday.
DDoS attacks are clearly against the law in most countries, although for many protesters that may be an academic question, says Peter Church, a lawyer specializing in technology, media and technology at law firm Linklaters in London.
“It’s not a pure law issue. It’s a question of actually, how do you track these people down? How do you secure a conviction to criminal standards of proof?” he says.
A 16-year-old boy suspected of involvement in the online campaign has been arrested in the Netherlands and is due to appear in court later on Friday.
DDoS attacks have been used previously in real conflicts.
In 2007, a series of attacks targeted websites of the Estonian parliament, government ministries, banks and media Organizations, sparked by a row between Russia and Estonia over the removal of a Soviet World War Two memorial.
And during the brief 2008 war between Georgia and Russia over breakaway South Ossetia, attacks disabled and took offline websites in all the countries involved.
Leenaars doubts that the WikiLeaks supporters have enough support to cause such widespread damage, unless the situation escalates further.
“The more attackers you have, the easier it becomes — but you have to have something that’s really a social subject. I’m not sure that the WikiLeaks cause has the power to attract enough people, for now.”
Editing by Janet McBride