Corero White Paper
The House Wins:
Keeping Online Gambling in Play
Against Denial-of-Service Attacks
Defending Online Gambling Against DDoS Attacks
TABLE OF CONTENTS
Executive Summary .....................................................................1
The Stakes Are High for iGaming Companies ..............................1
Attackers Try to Rig the Game with Application-Layer Attacks....3
Criminals and Competitors Take a Piece of the Action................5
Best Bet: On-premises DDoS Defense .........................................6
Don’t Trust to Luck: Be Prepared.................................................7
The Winning Hand: Corero’s DDoS Defense System............................8
Defending Online Gambling Against DDoS Attacks
Executive Summary
Hackers are betting on distributed denial-of-service (DDoS) attacks to make money in the online gambling market. But what is making them money is costing revenue for the victim companies. Every second that someone
cannot place a wager or play their favorite casino game translates not only to an immediate loss of revenue but
to future losses, as players move on to other online gambling sites.
DDoS attacks and the threat of a DDoS attack to extort ransom have been the cards criminals have played
against online gambling — also known as Internet gaming or iGaming — companies over the last decade. Yet,
these criminal attacks on online gambling businesses are growing in intensity and are continuing to shut down
sites.
The primary reason is the increasing sophistication of DDoS attack methods, particularly low and slow application-layer attacks, which are extremely difficult to detect and almost impossible to mitigate using traditional
services and techniques.
For the most comprehensive protection against all forms of DDoS attack, iGaming companies should bet on onpremises DDoS defense appliances. This white paper examines: who is responsible for the DDoS threat against
the iGaming industry; what’s at stake for gambling services companies; the latest DDoS attack trends, and recommendations for an effective DDoS defense program to thwart those who would do your business harm.
The paper also highlights how Corero Network Security provides a comprehensive solution that ensures continued availability of iGaming services to customers in the face of both new application- and traditional networklayer DDoS attacks.
The Stakes Are High for iGaming Companies
Global Online Gambling Revenue (Billions USD)
45
40
35
30
25
20
15
10
5
0
2005
2006
2007
2008
2009
2010
2011
2012
2013
Source: Global Betting and Gaming Consultancy
DDoS attacks threaten the growing, multibillion-dollar global iGaming business. iGaming revenue is expected
to reach $41.7 billion in the next year, according to Global Betting and Gaming Consultants (See “Online Global
Gambling Revenue,” above). Online gambling is a high-speed, volatile market, in which time very literally is
money. It also is intensely competitive, as online gambling companies vie for business from a finite pool of
regular, repeat customers, as well as the more casual player.
1
Defending Online Gambling Against DDoS Attacks
It isn’t surprising that DDoS is a widespread problem in the iGaming industry. Any business that relies on the
Internet to make money is a target, and online gambling is at the forefront. A survey of 300 enterprises sponsored by Corero revealed that a third had suffered at least one DDoS attack in the past 12 months and 42% of
those victim companies had experienced multiple attacks. Anywhere, anytime Internet access has upped the
ante. Smart phones, tablet computing devices, high-speed home Internet access and extensive WiFi availability
are creating a huge on-demand gambling environment.
Online gambling providers have responded with a comprehensive selection of customer services, led overwhelmingly by sports wagering (see “Global Share of Online Gambling by Type,” below); followed by casino
games, such as roulette and slot machines; online poker; skill games; bingo and lotteries.
13.3%
3.1%
Global Share of Online
Gambling by Type
12%
6.5%
16%
16.8%
40.6%
52%
19.6%
20%
Sports Betting
Casino
Poker
Bingo
Skill & Other Gaming
State Lotteries
Source: Global Betting and Gaming Consultancy
But customer loyalty can be fleeting, and DDoS attacks can drive away players in a hurry. Players want iGaming
services that are always available. They expect a seamless experience. Internet gambling companies must ensure their sites are always up, with the full range of betting options available, without interruption or degraded
performance. If a player faces a downed site or sluggish performance, they will place their bets on another
site.
2
Defending Online Gambling Against DDoS Attacks
Attackers Try to Rig the Game with Application-Layer DDoS Attacks
Traditional Anti-DDoS Solutions
These services can complement on-premises DDoS defense to protect against
overwhelming attacks that saturate Internet links with traffic.
Service
Description
Limitations
OverProvisioning
Bandwidth
Enterprise purchases
additional bandwidth
to absorb flooding
attacks.
• Ineffective against application-layer
attacks
• Creates endless cycle of escalation
• Reactionary
• Not cost-effective
“Clean-Pipe”
Services
ISP routes suspect
traffic to proxy that
“scrubs” it clean of
malicious packets.
• Ineffective against application-layer
attacks
• Reactionary
• Legitimate traffic can be lost
Specialized
Cloud-based
Services
Service provider
• Ineffective against application-layer
scrubs traffic during a attacks
network-layer attack, • Reactionary
then routes good
• No visibility into outbound traffic
traffic to the client
and server services
network.
DDoS attacks continue to succeed and seriously impact iGaming businesses largely because the new breed of
insidious application-layer attacks frustrates traditional DDoS mitigation services. iGaming companies generally
are well aware of the DDoS threat, many having had direct experience. They are all too cognizant that a welltimed sustained attack could cost them millions. So, they often turn to their Internet Service Providers (ISPs)
to overprovision bandwidth to offset the impact of traditional network flooding DDoS attacks. They may also
contract for so-called “clean pipe” anti-DDoS services or turn to specialized cloud-based service providers to
combat DDoS attacks (See “Traditional Anti-DDoS Solutions,” above).
But by betting on these services — once an almost sure thing — iGaming companies are not prepared for
application-layer attacks. These solutions are ineffective against application-layer techniques, which are more
difficult to detect and mitigate than traditional network attacks (such as SYN, UDP and ICMP floods that fill the
Internet pipes with enormous volumes of traffic). Application-layer attacks, by comparison, create far less traffic and appear to be legitimate connections to targeted servers. Often, victim gambling companies are not even
aware they are under attack – with the site remaining active but sluggish. For example, the popular repetitive
HTTP GET attacks (see “Application Layer HTTP GET DDoS Attack”, p. 4), cripple the target server by overwhelming it with requests for a resource. The traffic seems “normal,” the volume is low, and the attack can be carried
out by a small number of people or small botnet, compared to massive flooding attacks.
3
Defending Online Gambling Against DDoS Attacks
Application Layer HTTP GET DDoS Attack
Internet
Bot Master
GET
GET
GET
GET
GET
GET
GET
GET
GET
GET
GET
GET
GET
Good TCP Connections
GET
Botnet Command and Control
Repetitive HTTP GETs
Bot
Bot
Botnet
Victim Web Servers
As a result, these attacks are more damaging, as gambling sites are taken off guard. By the time they realize
they are under attack, their customers already are spending money at competitors’ sites. If the attacks are
frequent and sustained, they may never return. Customer loyalty is only as good as the service they receive.
Hackers know this and are betting on it to blackmail iGaming sites into paying ransom to stop attacks.
Witness this reported comment from a spokesman for the online gambling site Paddy Power under DDoS attack in April 2011:
“We are experiencing a protracted and malicious attack on our systems with the sole objective to bring down
our website and prevent our customers from placing bets. We have systems in place to defend our site against
such attacks. However, these systems have failed to protect us due to the sophistication of the attack.”
The attackers are well aware of mitigation techniques and, as is true across the security landscape, develop
new techniques to stay ahead of defensive mechanisms. As more iGaming companies adopt traditional defensive measures, their adversaries have turned to the more sophisticated, more elusive and ultimately more effective application-layer DDoS attacks. A new breed of so-called “slow” application-layer attacks, Slowloris and
HTTP Post, bring web servers down by slowing requests. A more recent variant induces slow server responses.
The aim is to deliver attacks that require fewer resources and are increasingly difficult to detect.
As a result, DDoS attacks remain persistent and successful assaults on the stability and profitability of Internet
gambling, even as iGaming companies attempt to counter the threats.
4
Defending Online Gambling Against DDoS Attacks
Criminals and Competitors take a Piece of the Action
DDoS Attack Motivations
12%
16%
Political / Ideological
Competitive Advantage
Financial Extortion
52%
20%
Just for Laughs
Source: Vanson Bourne survey
The most frequent perpetrators of DDoS attacks against online gambling sites are competitors attempting to
undermine the business and drive customers to their own sites. In fact, unscrupulous competitors are cited as
the leading force behind DDoS attacks across all industries. The Corero-sponsored survey noted above found
that nearly half the enterprises that experienced DDoS attacks blamed competitors seeking unfair business
advantage (See “DDoS Attack Motivations,” above).
It makes good business sense, albeit from a criminal perspective. Who better than the competition understands the consequences of a prolonged service outage both in terms of direct loss of revenue and the volatility of the customer base? And with an attack method that uses legitimate resources the attackers also have
plausible deniability.
Online gambling companies understand that this sort of practice is an unfortunate fact of life among the less
reputable businesses in the industry. A statement from online gambling software company Top Game Casinos
in August 2011, posted on the forum of the Casinomeister site, declared that the company’s “recent investigation has revealed that the attacker does not only own and manage several online casinos and a fairly known
affiliate program, but has also recently launched his own gaming software.”
Attackers know when the stakes are highest. For example, in August 2009, Australia’s largest online betting
sites were shut down on the eve of the Australian Football League and National Rugby League finals, reportedly resulting in losses of millions of dollars.
Criminal extortion under threat of DDoS is also all too common. Like unscrupulous competitors, these extortionists understand how to hurt iGaming businesses. The threat of a DDoS attack is typically timed for maximum effect, in advance, for example, of a major sporting event such as the Super Bowl or a World Cup match,
or a major holiday. They also will calculate the size of the ransom based on the likely financial impact of a sus-
5
Defending Online Gambling Against DDoS Attacks
tained and successful DDoS attack at such a time. What’s $50,000 compared with the potential loss of millions?
Often, the criminals will take the site down briefly as a demonstration to show that they are capable of carrying out their threat. They often will make good on their threat if they are refused. Unfortunately, companies
that pay these ransoms sometimes get a reputation as a “soft touch” and will be hit repeatedly.
Arrests are not all that frequent, but there have been notable exceptions. For example:
• Three Russian men were sentenced to eight years in prison in 2006 after extorting $4 million from
British gambling sites under threat of DDoS. One company that refused to pay a $10,000 ransom lost
$200,000 in business during the Breeders’ Cup races.
• A German man with more modest ambitions was convicted in June 2011 of attempting to extort
$3,700 each from six online gambling sites, threatening to launch DDoS attacks during the 2010 World
Cup. It is interesting to note that the unsuccessful extortionist was armed with a $65 per day Russian
botnet, underscoring how DDoS is well within the means of criminals and competitors. Attackers also
can rent a DDoS “hit squad” to launch attacks on their behalf.
• Two Korean men were arrested in January 2011 after launching DDoS attacks against 100 rival sites
for two hours a day over a two-week period.
Sometimes, players themselves will launch narrow, session-based DDoS attacks to avoid losing. For example,
a poker player dealt a poor hand may launch an attack to cause the game to malfunction. Typically, the site’s
policy is that no players lose their money if there is a game malfunction. The cheating player recoups his loss,
but the online gambling site can’t collect any of the bets placed. What’s more, players who believe they held a
winning hand are bound to be upset that the session was curtailed before they had a chance to cash in.
Best Bet: On-premises DDoS Defense
Although the odds may appear to be stacked in favor of the attackers, online gambling companies can still
come out winners. Since traditional services offer ineffective or incomplete protection, what’s required is a
solution that provides comprehensive protection against a wide range of DDoS attacks including conventional
network flooding and new application-layer attacks.
Dedicated, on-premises DDoS defense appliances are the optimal solution. Installed in front of firewalls, applications and database servers, on-premises technology is the first line of defense against all DDoS attacks.
On-premises appliances provide automated detection and mitigation against the full arsenal of attackers’ DDoS
weapons, standing proof against the dominant new breed of application-layer attacks, as well as traditional
network floods. On-premises DDoS defense enables granular responses, customized to the particular IT requirements of the iGaming environment, as well as corporate policies and business practices.
For an optimal solution, iGaming companies should deploy automated monitoring services in concert with onpremises DDoS defense to rapidly identify and react to evasive, repetitive or sustained attacks.
For increased protection against volumetric flooding attacks, which saturate Internet links, use a clean pipe
solution in concert with an on-premises appliance.
6
Defending Online Gambling Against DDoS Attacks
Don’t Trust to Luck: Be Prepared
Players may trust in the roll of the dice, the spin of the wheel or the luck of the draw, but iGaming companies
must combine best security practices and preparation to ensure the most effective DDoS defense against the
extortionists, ruthless competitors and cheats arrayed against their business. Preparation and a thorough and
well-coordinated response plan, in concert with on-premises DDoS defense technology, will ensure gambling
sites remain up and running and available to players. Online gambling companies should follow these steps to
prepare:
1. Develop a response plan
A response plan is the difference between coordinated action in the face of a DDoS attack and an all-handson-deck scramble while the gambling site continues under duress. The plan should list and describes the steps
organizations should take when under attack. The response plan should:
• Outline the broad requirements for detection, mitigation, remediation and recovery efforts.
• Describe how the response team will be mobilized and ensure timely, accurate and consistent communications with key personnel.
• Specify the actions to be taken — and by whom — to identify the precise nature of the attack, its
severity and quickly assess the risk to the business.
• Define post-attack procedures, including the collection of logs and forensic evidence, and documenting response and mitigation technology gaps, weaknesses, and lessons learned.
2. Create a DDoS attack response team
The response team are the “go-to” people when an iGaming site is hit by a DDoS attack. The team should possess the skills and experience to assess and address an attack rapidly and precisely. Key team members should
include:
• A team leader to oversee response activity during an attack, assign roles to individuals, and train
them.
• A system administrator to analyze alerts, logs and reports to determine what services, applications
and/or devices are victims of a DDoS attack.
• A security expert to quickly tune on-premises DDoS defense technology, if necessary, and other security tools, such as firewall and IPS, to defend in real time against DDoS attacks.
• A networking expert to identify sources of network-layer DDoS attacks and begin to block attacking
sources through on-premises DDoS defense technology.
3. Keep network information current
Regularly update documentation of logical and physical enterprise network topologies, the entire network
perimeter, and Web and DNS infrastructure. This information is essential to understand what systems could be
victims of DDoS attack, where the business may be at risk and how and where to respond.
7
Defending Online Gambling Against DDoS Attacks
In addition, take regular baseline assessments of “normal” traffic. Understanding the protocols, traffic types,
available services, average traffic flows and overall network usage on enterprise networks enables quick and
accurate identification of anomalous traffic, which may indicate a developing DDoS attack.
4. Deploy high-performance routers and firewalls
Be sure that Internet-facing router performance can handle worst-case traffic and connection loads. This will
reduce the impact of unexpected traffic spikes and/or DDoS attacks on enterprise networks. Similarly, Internet
perimeter/DMZ firewall performance should be high enough to handle worst-case traffic and connection loads,
so the firewall is less likely to be overwhelmed by flooding attacks.
5. Maintain a thorough and aggressive vulnerability management program
Keep operating systems and applications on your application delivery servers up to date with the latest vendor
patches and upgrades. This helps ensure they are less susceptible to attacks designed to exploit known vulnerabilities, including specially crafted packet DDoS attacks. Be sure to keep DNS server software current as well.
These critical servers are often overlooked in security planning.
6. Follow threat trends and maintain vigilance
Research new DDoS attack vectors, attack tools and industry advisories regularly to identify new vulnerabilities and potential gaps in the enterprise’s DDoS response plan and update DDoS defense mechanisms. DDoS
attacks are becoming increasingly sophisticated. Don’t wait for your network or critical business applications
to become unresponsive before taking action. IT personnel should be trained to look for signs of DDoS rather
than assume a sluggish or unresponsive server is the result of hardware or application issues, or simply a temporary traffic spike.
The Winning Hand: Corero’s DDoS Defense System
Protection against
DDoS Attacks
Protection against
Undesired Access
Protection against
Malicious Content
Demerit Scoring System
IN
Patented
DDoS
Defense
Client
Request
Limits
Application
Rate Limits
Connection
Limits
Stateful
Filtering
Request &
Response
Behavior
Analysis
PVM+DVM
Stateful
Protocol
Analysis
Attack and
Vulnerabilty
Signatures
Acceptable
Application
Usage
OUT
Attack Response Engine
Logged
Events
Good Traffic
Bad Traffic
8
Blocked
Attacks
Forensic Data
& Analysis
Defending Online Gambling Against DDoS Attacks
Unscrupulous competitors, unpaid extortionists and crooked players — anyone who tries to bring down
an online gambling site — will discover the house wins when iGaming companies deploy Corero Networks
Security’s on-premises DDoS Defense System (DDS). DDS provides the most comprehensive protection
against all forms of denial of service attacks. DDS detects and mitigates against stealthy application-layer
attacks as well as network-layer flooding and reflective attacks.
Based on intelligent behavioral analysis, DDS leverages patented DDoS Defense algorithms and extensive
rate-based protection mechanisms, prevents unwanted access and detects and blocks to rebuff all forms
of Internet attacks. These integrated component technologies comprise Corero’s unique Three Dimensional Platform (3DP) architecture (see diagram, p. 8).
In order to stop DDoS attacks while allowing good traffic to pass without performance degradation, Corero’s behavioral analysis technology debits a DDS-maintained credit balance associated with each source
IP address and blocks further requests from an IP address when the credits are depleted. The technology
monitors both the number of client requests and behavioral characteristics of client-server communications, so that DDS effectively addresses low-bandwidth application-layer attacks and high-volume networklayer attacks.
With Corero’s DDS, online companies can ensure their customers uninterrupted play and ensure business
continuity, even while under attack.
About Corero Network Security
Corero Network Security (CNS:LN) is an international network security company and the leading provider
of Distributed Denial of Service (DDoS) defense and Intrusion Prevention System (IPS) solutions. Corero’s
products and services provide comprehensive, integrated, high-performance protection against constantly
evolving network-borne cyber threats. Customers include enterprises, service providers and government
organizations worldwide. Corero’s appliance-based solutions are highly adaptive and preemptively respond to modern cyber attacks, known and unknown, protecting critical information and online assets.
Corero’s products are transparent on the network, highly scalable, and feature the lowest latency, and
highest reliability in the industry. Corero is headquartered in Hudson, Mass., with offices around the
world.
Corporate Headquarters
EMEA Headquarters
1 Cabot Road
Hudson, MA 01749 USA
Phone: +1.978.212.1500 No. 1 Cornhill
London EC3V 3ND
Phone: +44 (0) 203 427 3407
Web: www.corero.com
9