What the meetup DDoS tells the rest of us
I did a news story in Infosecurity Magazine yesterday: Meetup Fighting Prolonged DDoS Attack. The gist is that the social network site, meetup — which promotes the idea of both dispersed and local ‘groups’ and group activities — had been under intermittent DDoS attack since last Thursday.
CEO Scott Heiferman has blogged about the attack. It started with an email warning that said the attacker had been commissioned by a competitor to attack him — but that he would abandon the attack on payment of $300. Heiferman thinks the $300 was just to test the water; to see if meetup would be susceptible to further extortion in the future.
That’s possible; but given the commoditization of DDoS as a service, it is equally likely to be the actual cost of the attack; and the attacker was seeing if he could get his fee without the effort of the attack.
But in all of this there is one question unanswered. Heiferman stresses that throughout the attack his engineers have been toiling to keep the site up and running, and actually says that he spends millions of dollars every year on security. What is clear is that he has spent little or nothing on DDoS mitigation — and is possibly still spending nothing on third-party mitigation (else his problem would probably have long been solved).
I spoke to Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation firm) to try to understand what’s going on. While we don’t yet know who is behind the attack, what if any competitor was involved, nor the type of DDoS attack used, what is clear, Stephenson told me, is that “it appears the meetup site had no proactive defence in place. Similarly their primary ISP or Hosting Provider was not able to successfully defend their customer against the volume or sophistication of the threat.”
But it would have started much earlier. “Long before the demand for cash was made, attackers were likely probing the meetup service, searching for vulnerabilities and preparing to launch an attack that would do the most harm.”
This is one reason why companies need to be proactive and mitigate DDoS before it starts rather than be reactive and attempt to contain an attack when in full sway. “A technology solution with the capabilities to detect, analyze and ultimately mitigate DDoS attacks, could provide an early alert on such suspicious activity, and help to protect against the malicious activity as soon as it escalates.”
Most companies’ preparation for a DDoS attack is simply to ask themselves, ‘would I pay or would I fight?’; but then they fail to ask themselves: ‘OK, how would I fight this?’
“The lesson to be learned here, unfortunately at the expense of meetup,” said Stephenson, “is that businesses need to think proactively and prepare for cyber attack scenarios, before they hit.”
It makes sense. Most companies buy an anti-malware system not because they have a malware infection, but because of the possibility that they might get one. The same mentality needs to be developed about DDoS attacks and DDoS mitigation — it’s best to get the defence in before the attack, because that attack is becoming increasingly more likely, and increasingly more dangerous.