Like Santa, DOS Does Not Take Christmas Off

January 5, 2009

One would think that on holidays, DOS attacks (Denial of service attacks) would be lower than usual. Historically speaking, holidays and major events such as the Super Bowl, traffic patterns and ticket activity are typically lower than usual. Based on that statistic, one might think that the number of DOS attacks, port scans, and general mischief / hacking would be down as well. Such is not the case unfortunately. Here during the joyful holidays, the Internet brings us yet another present… one of DOS attacks and HTTP floods. Below is a breakdown of DOS attacks greater than 500 Mbps or 100Kpps (packets per second):

12/23 – 8 attacks

12/24 – 6 attacks
12/25 – 12 attacks

12/26 – 7 attacks

12/27 – 8 attacks

Based on the information above, we can surely see that Christmas, the day of giving, has presented us with a variety of attacks to break down into detail. If we look at them based on time, we find the following:

3:45am – 1.64Gbps (1638.5Mbps)
12:20pm – 2.56Gbps

12:40pm – 2.56Gbps

1:20pm – 2.35Gbps

1:35pm – 193Kpps (193,000pps) 

2:10pm - 2.04Gbps 

2:20pm – 2.26Gbps

6:00pm – 186Kpps

6:20pm – 804Mbps

6:55pm – 552.9Mbps

7:11pm – 212Kpps

7:11pm – 578.8Mbps

DOS Attacks

One can deduct that this is due to the fact that the people initiating these attacks do not celebrate Christmas or have excess time on their hands because of their time off. They might also do this on a day that they think you are most vulnerable like a holiday or off- hours. Fortunately here at Softlayer we have an extensive automated DOS system comprised of multiple Cisco Anomaly Guards driven by an anomaly detection system using Arbor Peakflow SPs, flow-tools, and a variety of internally developed defense protocols. We have three (3) 24x7 Network Operation Centers (NOCs) that that are prepared to handle these situations as they arise. So what is my point… not really sure because I am not trying to sound like a commercial. But you need to choose your hosting provider wisely and make sure they have the ability to react to DOS attacks at any time, any day, during any event. DOS does not take time off… neither should your provider.