THE BLOG

The Countries Terrorizing The Cyber World: Where Do Most DDoS Attacks Come From?

22/07/2014 11:14 BST | Updated 20/09/2014 10:59 BST

On 10 July this year, eight major Norwegian companies and banks were severely disrupted in a massive denial of service attack linked to the 'hacktivist' group Anonymous. However, they certainly weren't acting alone. Millions of people helped them. You might have helped them too, depending on the state of your personal computer.

Imagine if you left your car unlocked with the keys in the ignition and a group of people took it and used it to commit a crime or act of terrorism. You wouldn't have committed the crime, but you certainly helped the criminals. These days, connecting a computer to the internet without a virus protection program is as reckless as leaving your property in the street. It's an open invitation to hackers, who in turn can then access your computer and turn it into a zombie 'bot' that they can use to orchestrate massive online attacks. But where are the majority of these zombie computers located?

Finding the source of these attacks is an important first step in stopping them, and the results make for very interesting reading. A recent report by cyber security firm Incapsula examined the location of some recent DDoS attacks, and discovered that 20% of all DDoS bot activity took place in India and China. This is fascinating, as 2012's Emerging Consumer Survey (commissioned by Swiss financial services company Credit Suisse) showed a large increase in computer ownership in India and China, combined with improved access to broadband in India. Put simply, many more people in India and China now own computers, but this boom in ownership hasn't been accompanied by an equivalent boom in computer security, leaving many of these PCs unprotected and vulnerable to exploitation.

Other countries that are at the forefront of DDoS attacks include Iran (8% of the share of bots), Indonesia (4%) and the United States, also with 4% of all bot activity. In Iran and Indonesia there has also been an increase in the ownership of personal computers combined with a lack of internet security, while the US presence on the list is explained by the fact that it contains the highest number of computers in the world: a staggering 310.6 million. It seems that not all of these US based computers have sufficient virus protection, which is a big problem.

In 2013 alone, Incapsula encountered an average of 12 million unique DDoS bot attacks per week, and that seems set to rise as computer ownership in other technology hungry developing countries such as Brazil continues to increase. DDoS is a preferred tool for savvy hackers around the world - particularly Application Layer (or Layer 7) DDoS, which works by overloading servers with requests from many sources. The more infected computers, the more devastating and long lasting the attacks, meaning that the continuing rise of computer ownership (and associated lack of adequate virus protection) in developing countries could lead to a perfect storm of continuous attacks as hacker groups like Anonymous recruit more and more infected PCs to their vast, sleeping botnet army.

Servers can protect against illegitimate requests: if they couldn't, this sort of attack would be far more widespread. However, DDoS attacks work by tricking servers into thinking the request is coming from a legitimate source: i.e., the infected computer. This is achieved by hacking into unprotected or poorly protected computers and infecting them with malware and Trojans that allow the computer to be controlled remotely. The hackers then wrangle these herds of infected computers into massive botnets that can bring down whole websites and web-accessed systems at the touch of a button.

The 10th July attack saw some of Norway's top institutions brought in a massive, coordinated DDoS attack. It's the biggest ever attack experienced by the country to date. The DDoS storm targeted eight top Norwegian companies, including central Norges Bank, Sparebank 1, Danske bank and the insurance companies Storebrand and Gjensidige. Three Norwegian airlines and a large telecommunication company were also affected. It seems clear that - as the army of infected computers grows- attacks like these are becoming more ambitious, more extensive and far more debilitating.

The malicious bombardment with requests caused traffic problems for the companies' websites and disrupted access throughout the day. This affected the banks' online payment services as well. "The scale is not the largest we have seen, but it is the first time it has hit so many central players in the finance sector in Norway," said the head of Evry's security team, Sverre Olesen in an interview with Dagens Næringsliv business newspaper.

Due to Incapsula's research, it seems highly likely that a large proportion of these attacks originated in India and China. Not intentionally, of course, but without better access to internet security education and products in these countries, huge DDoS attacks like the one that took down so many Norwegian corporations could soon become a weekly occurrence.