New Metric Would Score The Impact, Threat Of DDoS To An Enterprise
Taking a page from the metrics used to rank tornadoes and software vulnerabilities, attack-mitigation firms look to find a better measure of denial-of-service attacks than bandwidth and duration
Companies searching for a way to measure the potential disruption that a distributed denial-of-service (DDoS) attack might cause their businesses may get some help from an industry effort to rank such attacks based on their impact.
The project, proposed by DDoS mitigation firm Prolexic, aims to combine two existing measures of attacks to create a relative score of the business impact of a DDoS attack. The project starts with a simplified version of the Measure of Impact of DDoS Attacks (MIDAS) -- a metric created by researchers at the University of Michigan and AT&T Labs -- which calculates the severity of a DDoS attack by its impact on the network. By combining that data with the Common Vulnerability Scoring System (CVSS), a popular way to rank the severity and impact of vulnerabilities, researchers can rank attacks.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- How to Improve Customer Analytics: Best Practices
Such a scoring system can be used to evaluate past attacks and determine whether a company could weather current attacks hitting other networks, says David Fernandez, information security manager with the Prolexic's Security Engineering and Response Team.
"Companies can use this to start considering the impact of attacks, to plan and be proactive," he says. "Historically, DDoS defense has always been a reactive process. This facilitates the means for being proactive about defending against DDoS attacks."
Prolexic first outlined the process in a whitepaper posted to its site in December. The proposed system starts with a simplified version of the MIDAS metric, assigning a denial-of-service attack as one of four categories based on combinations of two attributes: the number of sources from which the attack emanates -- concentrated or distributed -- and the relative size of the attack -- weak or strong. MIDAS focuses on measuring impacts, in a way similar to the Fujita scale for tornadoes.
In addition to MIDAS, organizations would treat every exposed network service as a vulnerability and score it against different attack types, using components of the CVSS that measure the impact of a vulnerability on the targeted environment.
The approach could be useful for three groups of people -- Internet providers, enterprises, and DDoS-mitigation firms -- as a way to have a common language about the severity of denial-of-service attacks and the capabilities of a botnet to produce such attacks, says Dan Holden, director of Arbor Networks' security engineering and response team.
"I don't know if the exact approach that they've put together is perfect, but I like the initial proposal," Holden says, who has already contacted Prolexic about the scoring system.
[The ongoing distributed denial-of-service attacks on banks have some security professionals worried that the attacks may move to less prepared industries. See DDoS Attacks Spur Concerns Over Infrastructure Weaknesses.]
Yet a number of problems exist as well. The MIDAS metric is a measure of volumetric attacks, those DoS attacks that attempt to overwhelm a network or server with large amounts of traffic. But application-layer attacks, which attempt to overwhelm a server's processor or memory resources, account for about a quarter of attacks each year. Those attacks are not handled well by the MIDAS framework, says Alex Heid, senior security researcher at Prolexic.
"An application layer attack would be classified by the MIDAS system as a weak and concentrated attack, since it is a low-and-slow type of attack," Heid says.
In addition, measuring the impact and threat of a denial-of-service attack is a very company-specific -- or at least, industry-specific -- activity, says Marc Gaffan, vice president of business development for Incapsula, a website protection firm. Security practitioners would be better served by taking into account expert analyses and matching the efforts of their peers in the industry.
"You can look at yourself and look at what's out there in terms of threats, and you can assess the impact," Gaffan says. "The impact is something that is subjective and proprietary to you. Only you know what a minute of downtime means to your business."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.