Here, we assess what site owners can take from the attacks on US government sites. 

It used to be that when you were up to no good, there were still a few general rules you observed in order to maximise the amount of no-good you were able to do while minimising the probability of consequences.

For instance, if you and your friends set out in your mum’s minivan with five dozen eggs and a goal of splattering a building with yolk, you tended to choose a target of, say, an empty school instead of the police station. You would toilet-paper the house of a sophomore you didn’t like instead of the house belonging to your principal. And if you were the type to have ever set a nuisance fire, you would have set it in a park across town instead of putting a match to a paper bag outside of the fire station.

Times have changed. Not only has the no-good a lot of people get up to shifted from occurring in the physical world to occurring online, but that tacit respect for authority has gone out the window, as we’ve seen in the latest rash of high-profile DDoS attacks. Here’s what you can learn from the Vikingdom DDoS attacks on US government websites.

Anyone’s a target

If you have just one takeaway from what you’re about to read, it should be that if US government websites can be targeted by DDoS attacks, so can any website. US government websites are websites that you would think attackers would avoid. Instead, they’re juicy targets.

Over the last number of weeks a hacker group calling themselves Vikingdom have been targeting US websites like IN.gov and Maine.gov with DDoS attacks. The reasoning for this is simple: any attack on a US government website automatically qualifies as a high-profile attack, and what these attackers want is publicity. And they got it. Even if their attacks weren’t particularly powerful or effective, Vikingdom still made the news.

It’s pretty common for hacker groups to be publicity hungry, and the reasoning for that usually comes down to money. Just like with the Lizard Squad, who launched high-profile attacks on Sony in order to advertise their DDoS for hire services, it’s likely that Vikingdom has business in mind with these attacks. So if you were thinking your site is safe because it isn’t high-profile, think again. The easy money to be made in DDoS attacks, including DDoS for hire, comes from companies paying ransom demands in order to prevent attacks on their websites.

Two sides to the story

Vikingdom had a total of 44 websites on their list of targets. In all, they were able to temporarily take down between five and seven websites. After the attacks on Maine.gov made the news, Vikingdom claimed to SC Magazine UK that it had been the ‘biggest attack ever’, one that peaked at over ‘3.5 Tbps’.

The experts at internet security firm Incapsula saw the Vikingdom attacks in a different way. According to their analysis of one of the attacks they mitigated, the attack actually peaked around 8.74 Gbps. This qualifies it as a small to medium attack, which is sort of like the biggest attack ever, except for the fact that it really isn’t at all.

Incapsula found that Vikingdom used NTP amplification attacks, a type of DDoS attack that provokes a server response that is disproportionately large compared to the size of the original packet.

DDoS lessons for every site owner

DDoS attacks have been becoming increasingly common over the last couple of years, and that trend isn’t going to slow down anytime soon, especially now that DDoS attacks are regularly making the news. DDoS attacks range from smaller scale, like the ones launched by Vikingdom, to absolutely, positively devastating, like a 38-day DDoS attack on a gaming site.

DDoS attacks not only cause site outages, they cause a loss of revenue, a degradation of consumer trust, software and hardware damage, and potential theft of intellectual property, financial information, and customer data.

While the Vikingdom attacks have turned out to be pretty small in scale, even a small scale DDoS attack will wreak havoc on the average website. These attacks are routine for professional DDoS protection services, but without that protection, you’re looking at either paying a ransom demand, or trying to deal with an outage and who knows how much other damage. If attackers will attack US government websites, you should probably assume that your site is on someone’s list somewhere out there.