Corero White Paper

The House Wins:Keeping Online Gambling in PlayAgainst Denial-of-Service Attacks

.....................................................................1..............................1

....3................5

.........................................6.................................................7

............................8

Executive SummaryThe Stakes Are High for iGaming CompaniesAttackers Try to Rig the Game with Application-Layer AttacksCriminals and Competitors Take a Piece of the ActionBest Bet: On-premises DDoS DefenseDon’t Trust to Luck: Be PreparedThe Winning Hand: Corero’s DDoS Defense System

TABLE OF CONTENTS

Defending Online Gambling Against DDoS Attacks

1

Defending Online Gambling Against DDoS AttacksExecutive Summary

Hackers are betting on distributed denial-of-service (DDoS) attacks to make money in the online gambling mar-ket. But what is making them money is costing revenue for the victim companies. Every second that someone cannot place a wager or play their favorite casino game translates not only to an immediate loss of revenue but to future losses, as players move on to other online gambling sites.

DDoS attacks and the threat of a DDoS attack to extort ransom have been the cards criminals have played against online gambling — also known as Internet gaming or iGaming — companies over the last decade. Yet, these criminal attacks on online gambling businesses are growing in intensity and are continuing to shut down sites.

The primary reason is the increasing sophistication of DDoS attack methods, particularly low and slow appli-cation-layer attacks, which are extremely difficult to detect and almost impossible to mitigate using traditional services and techniques.

For the most comprehensive protection against all forms of DDoS attack, iGaming companies should bet on on-premises DDoS defense appliances. This white paper examines: who is responsible for the DDoS threat against the iGaming industry; what’s at stake for gambling services companies; the latest DDoS attack trends, and rec-ommendations for an effective DDoS defense program to thwart those who would do your business harm.

The paper also highlights how Corero Network Security provides a comprehensive solution that ensures contin-ued availability of iGaming services to customers in the face of both new application- and traditional network-layer DDoS attacks.

The Stakes Are High for iGaming Companies

DDoS attacks threaten the growing, multibillion-dollar global iGaming business. iGaming revenue is expected to reach $41.7 billion in the next year, according to Global Betting and Gaming Consultants (See “Online Global Gambling Revenue,” above). Online gambling is a high-speed, volatile market, in which time very literally is money. It also is intensely competitive, as online gambling companies vie for business from a finite pool of regular, repeat customers, as well as the more casual player.

2005 2006 2007 2008 2009 2010 2011 2012 2013

1015

50

202530354045

Source: Global Betting and Gaming Consultancy

Global Online Gambling Revenue (Billions USD)

2

Defending Online Gambling Against DDoS Attacks

It isn’t surprising that DDoS is a widespread problem in the iGaming industry. Any business that relies on the Internet to make money is a target, and online gambling is at the forefront. A survey of 300 enterprises spon-sored by Corero revealed that a third had suffered at least one DDoS attack in the past 12 months and 42% of those victim companies had experienced multiple attacks. Anywhere, anytime Internet access has upped the ante. Smart phones, tablet computing devices, high-speed home Internet access and extensive WiFi availability are creating a huge on-demand gambling environment.

Online gambling providers have responded with a comprehensive selection of customer services, led over-whelmingly by sports wagering (see “Global Share of Online Gambling by Type,” below); followed by casino games, such as roulette and slot machines; online poker; skill games; bingo and lotteries.

But customer loyalty can be fleeting, and DDoS attacks can drive away players in a hurry. Players want iGaming services that are always available. They expect a seamless experience. Internet gambling companies must en-sure their sites are always up, with the full range of betting options available, without interruption or degraded performance. If a player faces a downed site or sluggish performance, they will place their bets on another site.

52%

12%

20%

16% Sports Betting

Casino Poker

Bingo Skill & Other Gaming

State Lotteries

Global Share of Online Gambling by Type

40.6%

19.6%

16.8%

6.5%

3.1%13.3%

Source: Global Betting and Gaming Consultancy

3

Defending Online Gambling Against DDoS Attacks

Attackers Try to Rig the Game with Application-Layer DDoS Attacks

DDoS attacks continue to succeed and seriously impact iGaming businesses largely because the new breed of insidious application-layer attacks frustrates traditional DDoS mitigation services. iGaming companies generally are well aware of the DDoS threat, many having had direct experience. They are all too cognizant that a well-timed sustained attack could cost them millions. So, they often turn to their Internet Service Providers (ISPs) to overprovision bandwidth to offset the impact of traditional network flooding DDoS attacks. They may also contract for so-called “clean pipe” anti-DDoS services or turn to specialized cloud-based service providers to combat DDoS attacks (See “Traditional Anti-DDoS Solutions,” above).

But by betting on these services — once an almost sure thing — iGaming companies are not prepared for application-layer attacks. These solutions are ineffective against application-layer techniques, which are more difficult to detect and mitigate than traditional network attacks (such as SYN, UDP and ICMP floods that fill the Internet pipes with enormous volumes of traffic). Application-layer attacks, by comparison, create far less traf-fic and appear to be legitimate connections to targeted servers. Often, victim gambling companies are not even aware they are under attack – with the site remaining active but sluggish. For example, the popular repetitive HTTP GET attacks (see “Application Layer HTTP GET DDoS Attack”, p. 4), cripple the target server by overwhelm-ing it with requests for a resource. The traffic seems “normal,” the volume is low, and the attack can be carried out by a small number of people or small botnet, compared to massive flooding attacks.

These services can complement on-premises DDoS defense to protect againstoverwhelming attacks that saturate Internet links with traffic.

Traditional Anti-DDoS Solutions

Service Description Limitations

Enterprise purchasesadditional bandwidthto absorb floodingattacks.

ISP routes suspecttraffic to proxy that“scrubs” it clean ofmalicious packets.

Service providerscrubs traffic during anetwork-layer attack,then routes goodtraffic to the clientnetwork.

• Ineffective against application-layer attacks• Creates endless cycle of escalation• Reactionary• Not cost-effective

• Ineffective against application-layer attacks• Reactionary• Legitimate traffic can be lost

• Ineffective against application-layer attacks• Reactionary• No visibility into outbound traffic and server services

Over-ProvisioningBandwidth

“Clean-Pipe”Services

SpecializedCloud-basedServices

52%

12%

20%

16%

4

Defending Online Gambling Against DDoS Attacks

As a result, these attacks are more damaging, as gambling sites are taken off guard. By the time they realize they are under attack, their customers already are spending money at competitors’ sites. If the attacks are frequent and sustained, they may never return. Customer loyalty is only as good as the service they receive. Hackers know this and are betting on it to blackmail iGaming sites into paying ransom to stop attacks.

Witness this reported comment from a spokesman for the online gambling site Paddy Power under DDoS at-tack in April 2011:

“We are experiencing a protracted and malicious attack on our systems with the sole objective to bring down our website and prevent our customers from placing bets. We have systems in place to defend our site against such attacks. However, these systems have failed to protect us due to the sophistication of the attack.”

The attackers are well aware of mitigation techniques and, as is true across the security landscape, develop new techniques to stay ahead of defensive mechanisms. As more iGaming companies adopt traditional defen-sive measures, their adversaries have turned to the more sophisticated, more elusive and ultimately more ef-fective application-layer DDoS attacks. A new breed of so-called “slow” application-layer attacks, Slowloris and HTTP Post, bring web servers down by slowing requests. A more recent variant induces slow server responses. The aim is to deliver attacks that require fewer resources and are increasingly difficult to detect.

As a result, DDoS attacks remain persistent and successful assaults on the stability and profitability of Internet gambling, even as iGaming companies attempt to counter the threats.

Application Layer HTTP GET DDoS Attack

Botnet Command and Control

Botnet

Bot Master

GET

GET

GET

GET

GET

GET

GET

Internet

Good TCP Connections

GET

GET

GET

GET

GET

GET

GET

Repetitive HTTP GETs

Bot Bot

Victim Web Servers

5

Defending Online Gambling Against DDoS Attacks

Criminals and Competitors take a Piece of the Action

The most frequent perpetrators of DDoS attacks against online gambling sites are competitors attempting to undermine the business and drive customers to their own sites. In fact, unscrupulous competitors are cited as the leading force behind DDoS attacks across all industries. The Corero-sponsored survey noted above found that nearly half the enterprises that experienced DDoS attacks blamed competitors seeking unfair business advantage (See “DDoS Attack Motivations,” above).

It makes good business sense, albeit from a criminal perspective. Who better than the competition under-stands the consequences of a prolonged service outage both in terms of direct loss of revenue and the volatil-ity of the customer base? And with an attack method that uses legitimate resources the attackers also have plausible deniability.

Online gambling companies understand that this sort of practice is an unfortunate fact of life among the less reputable businesses in the industry. A statement from online gambling software company Top Game Casinos in August 2011, posted on the forum of the Casinomeister site, declared that the company’s “recent investiga-tion has revealed that the attacker does not only own and manage several online casinos and a fairly known affiliate program, but has also recently launched his own gaming software.”

Attackers know when the stakes are highest. For example, in August 2009, Australia’s largest online betting sites were shut down on the eve of the Australian Football League and National Rugby League finals, report-edly resulting in losses of millions of dollars.

Criminal extortion under threat of DDoS is also all too common. Like unscrupulous competitors, these extor-tionists understand how to hurt iGaming businesses. The threat of a DDoS attack is typically timed for maxi-mum effect, in advance, for example, of a major sporting event such as the Super Bowl or a World Cup match, or a major holiday. They also will calculate the size of the ransom based on the likely financial impact of a sus-

Political / IdeologicalCompetitive AdvantageFinancial ExtortionJust for Laughs52%

12%

20%

16%

DDoS Attack Motivations

Source: Vanson Bourne survey

6

Defending Online Gambling Against DDoS Attacks

tained and successful DDoS attack at such a time. What’s $50,000 compared with the potential loss of millions? Often, the criminals will take the site down briefly as a demonstration to show that they are capable of carry-ing out their threat. They often will make good on their threat if they are refused. Unfortunately, companies that pay these ransoms sometimes get a reputation as a “soft touch” and will be hit repeatedly.

Arrests are not all that frequent, but there have been notable exceptions. For example:

•

•

•

Sometimes, players themselves will launch narrow, session-based DDoS attacks to avoid losing. For example, a poker player dealt a poor hand may launch an attack to cause the game to malfunction. Typically, the site’s policy is that no players lose their money if there is a game malfunction. The cheating player recoups his loss, but the online gambling site can’t collect any of the bets placed. What’s more, players who believe they held a winning hand are bound to be upset that the session was curtailed before they had a chance to cash in.

Best Bet: On-premises DDoS Defense

Although the odds may appear to be stacked in favor of the attackers, online gambling companies can still come out winners. Since traditional services offer ineffective or incomplete protection, what’s required is a solution that provides comprehensive protection against a wide range of DDoS attacks including conventional network flooding and new application-layer attacks.

Dedicated, on-premises DDoS defense appliances are the optimal solution. Installed in front of firewalls, ap-plications and database servers, on-premises technology is the first line of defense against all DDoS attacks. On-premises appliances provide automated detection and mitigation against the full arsenal of attackers’ DDoS weapons, standing proof against the dominant new breed of application-layer attacks, as well as traditional network floods. On-premises DDoS defense enables granular responses, customized to the particular IT re-quirements of the iGaming environment, as well as corporate policies and business practices.

For an optimal solution, iGaming companies should deploy automated monitoring services in concert with on-premises DDoS defense to rapidly identify and react to evasive, repetitive or sustained attacks.

For increased protection against volumetric flooding attacks, which saturate Internet links, use a clean pipe solution in concert with an on-premises appliance.

Three Russian men were sentenced to eight years in prison in 2006 after extorting $4 million from British gambling sites under threat of DDoS. One company that refused to pay a $10,000 ransom lost $200,000 in business during the Breeders’ Cup races.

A German man with more modest ambitions was convicted in June 2011 of attempting to extort $3,700 each from six online gambling sites, threatening to launch DDoS attacks during the 2010 World Cup. It is interesting to note that the unsuccessful extortionist was armed with a $65 per day Russian botnet, underscoring how DDoS is well within the means of criminals and competitors. Attackers also can rent a DDoS “hit squad” to launch attacks on their behalf.

Two Korean men were arrested in January 2011 after launching DDoS attacks against 100 rival sites for two hours a day over a two-week period.

7

Defending Online Gambling Against DDoS Attacks

Don’t Trust to Luck: Be Prepared

Players may trust in the roll of the dice, the spin of the wheel or the luck of the draw, but iGaming companies must combine best security practices and preparation to ensure the most effective DDoS defense against the extortionists, ruthless competitors and cheats arrayed against their business. Preparation and a thorough and well-coordinated response plan, in concert with on-premises DDoS defense technology, will ensure gambling sites remain up and running and available to players. Online gambling companies should follow these steps to prepare:

1. Develop a response plan

A response plan is the difference between coordinated action in the face of a DDoS attack and an all-hands-on-deck scramble while the gambling site continues under duress. The plan should list and describes the steps organizations should take when under attack. The response plan should:

• Outline the broad requirements for detection, mitigation, remediation and recovery efforts.

•

•

•

2. Create a DDoS attack response team

The response team are the “go-to” people when an iGaming site is hit by a DDoS attack. The team should pos-sess the skills and experience to assess and address an attack rapidly and precisely. Key team members should include:

•

•

•

•

3. Keep network information current

Regularly update documentation of logical and physical enterprise network topologies, the entire network perimeter, and Web and DNS infrastructure. This information is essential to understand what systems could be victims of DDoS attack, where the business may be at risk and how and where to respond.

Describe how the response team will be mobilized and ensure timely, accurate and consistent com-munications with key personnel.

Specify the actions to be taken — and by whom — to identify the precise nature of the attack, its severity and quickly assess the risk to the business.

Define post-attack procedures, including the collection of logs and forensic evidence, and document-ing response and mitigation technology gaps, weaknesses, and lessons learned.

A team leader to oversee response activity during an attack, assign roles to individuals, and train them.

A system administrator to analyze alerts, logs and reports to determine what services, applications and/or devices are victims of a DDoS attack.

A security expert to quickly tune on-premises DDoS defense technology, if necessary, and other secu-rity tools, such as firewall and IPS, to defend in real time against DDoS attacks.

A networking expert to identify sources of network-layer DDoS attacks and begin to block attacking sources through on-premises DDoS defense technology.

8

Defending Online Gambling Against DDoS AttacksIn addition, take regular baseline assessments of “normal” traffic. Understanding the protocols, traffic types, available services, average traffic flows and overall network usage on enterprise networks enables quick and accurate identification of anomalous traffic, which may indicate a developing DDoS attack.

4. Deploy high-performance routers and firewalls

Be sure that Internet-facing router performance can handle worst-case traffic and connection loads. This will reduce the impact of unexpected traffic spikes and/or DDoS attacks on enterprise networks. Similarly, Internet perimeter/DMZ firewall performance should be high enough to handle worst-case traffic and connection loads, so the firewall is less likely to be overwhelmed by flooding attacks.

5. Maintain a thorough and aggressive vulnerability management program

Keep operating systems and applications on your application delivery servers up to date with the latest vendor patches and upgrades. This helps ensure they are less susceptible to attacks designed to exploit known vulner-abilities, including specially crafted packet DDoS attacks. Be sure to keep DNS server software current as well. These critical servers are often overlooked in security planning.

6. Follow threat trends and maintain vigilance

Research new DDoS attack vectors, attack tools and industry advisories regularly to identify new vulnerabili-ties and potential gaps in the enterprise’s DDoS response plan and update DDoS defense mechanisms. DDoS attacks are becoming increasingly sophisticated. Don’t wait for your network or critical business applications to become unresponsive before taking action. IT personnel should be trained to look for signs of DDoS rather than assume a sluggish or unresponsive server is the result of hardware or application issues, or simply a tem-porary traffic spike.

The Winning Hand: Corero’s DDoS Defense System

Protection againstDDoS Attacks

Protection againstUndesired Access

Protection againstMalicious Content

IN OUT

PatentedDDoS

Defense

ApplicationRate Limits

ConnectionLimits

StatefulFiltering

Attack andVulnerabiltySignatures

AcceptableApplication

Usage

ClientRequestLimits

Request &ResponseBehaviorAnalysis

PVM+DVMStatefulProtocolAnalysis

Attack Response Engine

Demerit Scoring System

BlockedAttacks

Forensic Data& Analysis

Good TrafficBad Traffic

LoggedEvents

9

Defending Online Gambling Against DDoS Attacks

Unscrupulous competitors, unpaid extortionists and crooked players — anyone who tries to bring down an online gambling site — will discover the house wins when iGaming companies deploy Corero Networks Security’s on-premises DDoS Defense System (DDS). DDS provides the most comprehensive protection against all forms of denial of service attacks. DDS detects and mitigates against stealthy application-layer attacks as well as network-layer flooding and reflective attacks.

Based on intelligent behavioral analysis, DDS leverages patented DDoS Defense algorithms and extensive rate-based protection mechanisms, prevents unwanted access and detects and blocks to rebuff all forms of Internet attacks. These integrated component technologies comprise Corero’s unique Three Dimension-al Platform (3DP) architecture (see diagram, p. 8).

In order to stop DDoS attacks while allowing good traffic to pass without performance degradation, Core-ro’s behavioral analysis technology debits a DDS-maintained credit balance associated with each source IP address and blocks further requests from an IP address when the credits are depleted. The technology monitors both the number of client requests and behavioral characteristics of client-server communica-tions, so that DDS effectively addresses low-bandwidth application-layer attacks and high-volume network-layer attacks.

With Corero’s DDS, online companies can ensure their customers uninterrupted play and ensure business continuity, even while under attack.

About Corero Network Security

Corero Network Security (CNS:LN) is an international network security company and the leading provider of Distributed Denial of Service (DDoS) defense and Intrusion Prevention System (IPS) solutions. Corero’s products and services provide comprehensive, integrated, high-performance protection against constantly evolving network-borne cyber threats. Customers include enterprises, service providers and government organizations worldwide. Corero’s appliance-based solutions are highly adaptive and preemptively re-spond to modern cyber attacks, known and unknown, protecting critical information and online assets. Corero’s products are transparent on the network, highly scalable, and feature the lowest latency, andhighest reliability in the industry. Corero is headquartered in Hudson, Mass., with offices around the world.

Corporate Headquarters EMEA Headquarters

1 Cabot Road No. 1 CornhillHudson, MA 01749 USA London EC3V 3NDPhone: +1.978.212.1500 Phone: +44 (0) 203 427 3407

Web: www.corero.com