ANLAYSIS-Cyber attack protection not worth the cost for most

* Even biggest sites can be taken down by cyber attacks

* Protection is expensive and most companies have none

* DDoS attacks becoming more common protest method

By Georgina Prodhan and Marius Bosch

LONDON/JOHANNESBURG, Dec 10 (BestGrowthStock) – Organisations can
protect themselves to some degree against cyber attacks like the
ones WikiLeaks supporters have carried out against Visa and
Mastercard but it’s a costly and constant race against time.

Most companies have no protection at all against distributed
denial-of-service (DDoS) attacks, which put computer servers out
of action by overwhelming them with requests — and most will
never become targets.

But for those who are attacked, the consequences can be huge
— the loss of a single day’s pre-Christmas sales could easily
cost hundreds of millions of dollars for an online retail giant
like Amazon, which has been targeted by activists this week.

The activists, a loose Internet grouping calling themselves
Anonymous, failed to attract enough firepower this time to bring
down Amazon (AMZN.O: ) — one of the world’s biggest web-hosting
providers as well as a retailer — but have not given up.

They are enraged at the efforts of mostly U.S.-based
organisations to disrupt the online activities of WikiLeaks,
which has sparked fury in the United States by releasing a
torrent of confidential U.S. diplomatic cables.

Mikko Hypponen, chief research officer of Finnish software
security firm F-Secure (FSC1V.HE: ), says even the biggest and
best-protected companies can be vulnerable.

“If an attack is large enough, anything can be taken down.
Even Google (GOOG.O: ) itself went down under a DDoS attack caused
by a Mydoom worm variant couple of years ago,” he says.

Commercial offerings do exist to minimise the effects of
DDoS attacks — provided by the likes of Prolexic, Akamai
(AKAM.O: ) or Verisign (VRSN.O: ).

These intercept and analyse traffic to a site and divert it
if it appears suspicious, for example, if a user seems to be
visiting a site 100 times per second.

“This is only for people who are under heavy attacks. You
can do it but it costs a lot of computation,” says Michiel
Leenaars, strategy director at Internet technology fund NLnet.

“A denial-of-service attack is asymmetric because the person
on the other side has to do a lot more work than you, which
makes it easy to flood him, because otherwise it would be very
hard to take down these websites because they’re very big.”

REVENGE ATTACKS

Alternatively, owners of websites who fear attack can
increase their capacity, outsource work to hosting companies or
change their server architecture to distribute incoming traffic
more efficiently, to avoid being overwhelmed so easily.

The question is simply one of cost and risk assessment, says
Sarb Sembhi, chairman of the security advisory group of ISACA, a
non-profit global association that advises companies on
information technology.

“These companies that are being attacked are being attacked
for a reason, which is that the attackers are taking what they
believe is revenge. The chances of you or me getting involved in
this are slim,” he says.

Nonetheless, the use of DDoS attacks as a method of protest
— rather than by criminals for financial gain — is on the
rise, and ordinary people can take part by downloading a piece
of software from the Internet. [ID:nLDE6B81FY]

According to leading open-source software distributor
SourceForge, the piece of software — known as a low orbit ion
cannon — has been downloaded more than 50,000 times, with 20
percent of the downloads to the United States.

“Anonymous is not a group of hackers. We are average
Internet citizens ourselves and our motivation is a collective
sense of being fed up with all the minor and major injustices we
witness every day,” the group said in a statement on Friday.

DDoS attacks are clearly against the law in most countries,
although for many protesters that may be an academic question,
says Peter Church, a lawyer specialising in technology, media
and technology at law firm Linklaters in London.

“It’s not a pure law issue. It’s a question of actually, how
do you track these people down? How do you secure a conviction
to criminal standards of proof?” he says.

A 16-year-old boy suspected of involvement in the online
campaign has been arrested in the Netherlands and is due to
appear in court later on Friday.

DDoS attacks have been used previously in real conflicts.

In 2007, a series of attacks targeted websites of the
Estonian parliament, government ministries, banks and media
organisations, sparked by a row between Russia and Estonia over
the removal of a Soviet World War Two memorial.

And during the brief 2008 war between Georgia and Russia
over breakaway South Ossetia, attacks disabled and took offline
websites in all the countries involved.

Leenaars doubts that the WikiLeaks supporters have enough
support to cause such widespread damage, unless the situation
escalates further.

“The more attackers you have, the easier it becomes — but
you have to have something that’s really a social subject. I’m
not sure that the WikiLeaks cause has the power to attract
enough people, for now.”

ANLAYSIS-Cyber attack protection not worth the cost for most