The cyber-attack that took down Sony’s (SNE) PlayStation Network and Sony Entertainment Network on Sunday was nothing sophisticated: It was a plain old distributed denial-of-service (DDoS) attack. Lately, cybersecurity defenders have been focused on so-called advanced persistent threats and zero-day attacks—covert, often long-simmering hacks that exploit a system’s previously unknown flaws. But a growing number of hackers appear to be returning to the time-tested strategy of hammering a website with phony traffic until it breaks.
Unlike data breaches, DDoS attacks don’t steal anything. They just cause big, expensive headaches for targeted companies. The hackers this time were definitely going for maximum eyeballs, using a Twitter (TWTR) account with the handle Lizard Squad to claim responsibility and tweet about a bomb threat to an American Airlines (AAL) flight, which happened to be carrying the president of Sony’s online entertainment unit. The plane, bound for San Diego, made an unplanned stop in Phoenix, and the matter was referred to the FBI.
Sony got its sites back up in less than 24 hours, and the company says there’s no sign that the hackers accessed any account information. Still, there must be a creepy feeling of déjà vu for Sony, which is still dealing with the fallout from a 2011 hack on sites, including the PlayStation Network, that exposed personal information for more than 100 million accounts. That breach was preceded by a large DDoS attack.
Such campaigns are on the rise in volume and power. Incapsula, a security company that specializes in protecting company websites, says attacks on clients more than tripled from December through February over the same period a year earlier.
Incapsula’s chief business officer and a co-founder Marc Gaffan calls DDoS “the weapon of choice” for hackers these days, in part because technology is making it increasingly convenient and powerful (sound familiar?). It doesn’t take much money to inflict a costly headache on a business. An attacker can rent a “botnet”—a network of infected zombie computers controlled by cyber criminals—to mount a DDoS campaign for less than $10 an hour, according to Verizon’s (VZ) most recent Data Breach Investigations Report (PDF).
Attackers can now amplify an assault by using the greater computing power that sits all over the Internet in the form of cloud infrastructure, the Web-based servers and software that are replacing a lot of hardware.
Banks got hammered, Verizon says, since late 2012 and into 2013, when a group called Izz ad-Din al-Qassam Cyber Fighters began a campaign of denial-of-service attacks aimed at crippling U.S. financial institutions.
While the motivation behind the Sony attack isn’t clear, Incapsula’s Gaffan says gaming sites are popular targets, with intrusions directed by competitors or by criminals out to extort money to not attack a site.
“Every minute a gaming site is down is a minute of unrealized revenue and an opportunity for a gamer to churn and start playing at a different gaming service,” Gaffan says.
Verizon has tracked a jump in DDoS size, measured in bandwidth as gigabits per second, from an average of 4.7 Gbps in 2011 to 10.1 Gbps last year. February saw one of the largest, at 400 Gbps, as reported by a separate company, CloudFlare. That one leveraged a flaw in something called Network Time Protocol, the mechanism computers use to set their clocks online. This is an increasingly popular method that has caused trouble for gaming sites, according to Cloudflare.
We don’t know the specific details of the Lizard Squad attack on Sony. Still, while businesses are worrying about the thieves sneaking into an unlatched window at the back, they shouldn’t forget the hooligans coming at the front door with a hammer.
