IT leaders cruising for a denial-of-service bruising, says security expert

Report finds nearly one in five UK firms experienced a DDOS attack in 2011

IT bosses in the UK are displaying "a degree of complacency" over distributed denial of service (DDoS) attacks, claim security experts at intrusion protection firm Corero Network Security.

And they have a survey conducted by Vanson Bourne among 300 enterprises in the UK and US to back up their claim.

Nearly two-thirds (63 per cent) of US IT directors said they are concerned about the threat of a DDoS attack versus 29 per cent in the UK, according to the report published today.

While 38 per cent of US companies had experienced an attack in the past 12 months, 18 per cent of UK companies had.

"Unless a company has experienced an attack, we do see a degree of complacency," Andrew Miller, chief operating officer at Corero Network Security, told Computing.

The reason for the difference between US and UK experiences is that UK firms have been slower to the web, so they have been less exposed to attacks, according to security analyst Richard Stiennon, chief research analyst at IT-Harvest.

"As [UK organisations] deploy web applications they tend to do so in a more cautious and protected manner and because of this may be experiencing less disruptive DDoS attacks. As the sophistication of attacks rises their numbers will become more in line with the US," Stiennon added.

A DDoS attack disables or degrades an organisation's web servers by bombarding them with bogus traffic.

While brute-force attacks can be easy to detect, application layer attacks can be more subtle and manifest only as degraded web application performance.

Once the preserve of technically sophisticated hackers, DDOS attacks have been widely adopted by criminal gangs to extort money from vulnerable web-only businesses, such as online gambling sites.

The victims pay up to call off an attack that can bring down a site or degrade its performance to the extent that it becomes unusable for customers.

More recently DDoS attacks by politically motivated hacktivists, such as Lulzsec and Anonymous, have targeted the websites of government agencies, financial services firms and even lawyers chasing aleged copyright thieves.

IT leaders on both sides of the Atlantic are fairly confident of meeting the challenge: 62 per cent say they have the technology to defend against DDoS attacks.

But what they have in place may not be up to the job, warned Miller.

"IT directors who believe they are protected against DDoS attack because they have traditional perimeter security technology, such as network firewalls, in place, may be lulled into a false sense of security.

"These companies should consider purpose-built DDoS defence technology to block attacks and maintain continual availability lest the business suffer significant loss."

Miller said attacks were aimed not just at disabling servers to prevent customers from using them, but as smokescreens to distract security staff while a more subtle targeted attack – for example, to acquire intellectual property – is carried out elsewhere.

With the high-profile antics of the Anonymous group and its imitators front of mind, a third of UK companies who had reported an attack blamed hacktivism. But that wasn't uniform across vertical markets.

The UK retail sector in the UK considers extortion to be the primary motivator. But the finance sector points the finger at ideological motives.

Levels of concern also vary by vertical. More than half (52 per cent) of retailers expressed a high level of concern about DDoS attacks.

But 28 per cent of financial firms were this worried, only 11 per cent of manufacturers and just seven per cent of firms in other commercial sectors had a high level of concern.

More than half (52 per cent) of US companies thought attacks came from unscrupulous competitors. Half this proportion of UK companies blamed competitors.