Does a DDOS Equal a Cyber-War?

It's been a pretty interesting week on the cybersecurity front with the DDOS attacks on South Korea and the United States making the most headlines.  I've been trying to keep up with all of the regular media and blogs and quite frankly, it's a bit overwhelming.  There's a lot of intrigue to this story but I'm beginning to wonder now if it's been over-blown a bit because a couple of things just don't seem to add up.

The first interesting thing that jumped out at me was that, while the attacks apparently began on July 4, there wasn't any mention in the media until July 9.  This is interesting because it appears that something getting so much attention by the affected organizations wasn't even noticed publicly for at least four days.  Doesn't that sound amazing when the media is so quick to jump on anything that sounds sexy like a "cyber attack"?  From what I've been able to determine based upon dozens and dozens of "unofficial" media reports and blogs, five U.S. websites were initially assaulted by a DDOS on July 4 and that number grew to more than 35 over the next few days that included both South Korea and U.S government and private sector company websites.  Wow!

What does that really mean?  Well, the estimates I've read put the botnet at around 60,000 bots.  While it appears that the attacks were actually targeted attacks and certainly not trivial, 60,000 is also not a large botnet.  So the second puzzle is that, if the botherder was truly a professional wanting to do harm, why would they distribute the attack from a relatively small botnet across over 35 websites?  That's lots of sizzle but no steak.  I read one blog that said this attack was "more like arming a troupe of girl-scouts with water-balloons and Nerf guns."  Seriously though, while there's no doubt that the attack caused some outages, a professional cowboy botherder would have either mustered up a bigger botherd or just attacked a small number of the most of significant targets.

Here's the real perplexing question to me though - why would someone wanting to cause any real damage use a variant of the old Mydoom worm family?  This thing has been around for five years and every anti-virus vendor in the world has a signature available for it.  That doesn't pass the smell test for someone trying to do real harm...unless the DDOS was simply a diversion for some other really bad stuff going on somewhere else (but that's for those with more official intel.)

While I'm positive there is a lot more information, probably classified or at least very sensitive, that I don't have access to, on the surface this appears to be a somewhat amateurish hack that took advantage of some organizations that may not have been as prepared as they thought they were.

There are certainly some tools you can and should deploy to mitigate and deflect a DDOS (IPS at the edge, router ACL's) but the bottom line is that if you get enough traffic, from enough distributed sources, in a short enough period of time, you are going to have problem.  Among the things (the top three in my opinion) you need to have in place BEFORE a DDOS are:

1.     Know who your carrier is and have a relationship with them so they can begin upstream filtering and be able to bump up your bandwidth (your BCP should address this) if you are under attack

2.     Have staff that are trained and know how to read logs and determine what IP's are causing the problem and need to be blocked.  If your staff is not technically prepared to understand what is going on, no amount of planning will be enough.

3.     Most important and most often neglected - have up to date contact information.  Trying to track someone down, whether it's your ISP, a vendor, or your own staff on a Saturday 4^th of July holiday when your site is down and you don't have a name and telephone number can be one of the most frustrating events of your life.

Bonus #4 - If you have externally hosted web sites, know where they are, who manages them, and how to get in touch with them...on a holiday!