Whirlpool DDoS investigation dropped

Hosting company Bulletproof Networks and Whirlpool have decided to pull the plug on an official investigation into those responsible for distributed denial of service attacks levelled against the broadband forum this week.

The attacks, which took Whirlpool offline for two days this week, were set to be escalated to the Australian Federal Police after Bulletproof informed NSW Police.

But after evading further attacks using a reverse proxy hosted at Amazon.com, Whirlpool and Bulletproof have decided not to proceed with the investigation.

In a prepared statement, Bulletproof chief operating officer Lorenzo Modesto told iTnews it had decided to "suspend investigations for the moment as a sign of goodwill."

Whirlpool founder Simon Wright later told iTnews in an interview that the "effort involved to follow through the investigation would mean a large amount of work.

"All that work would probably be to find a schoolkid at the other end who is upset he got banned from forums for using bad language," Wright said. "All that effort over a kid. At the end of the day, the benefit wouldn't scale to the effort."

Security analyst James Turner commented that it was a "classic" dilemma for the IT industry. Attributing the work of security commentator Bruce Schneier, Turner said there is a "cost asymmetry" involved in protecting any network.

"It costs very little to direct a very concerted attack, but it is quite expensive for a target to defend themselves," he said. "The economics are badly in favour of the attacker."

Wright agreed wholeheartedly.

"You can boil it down further," he said. "It is easier to destroy than to create. Causing chaos in any sphere is easy to do, creating a web site or community, hosting it, that takes a hell of a lot more effort."

The volume of HTTP packets used in the attack was "absolutely outrageous", Wright noted.

"It was the kind of volume that could take down banks - very few companies could be prepared for this," he said. "You would need so much excess infrastructure to cope."

Should the police be involved?

While he feels that "reporting criminal activity to the relevant authorities is the right thing to do", Turner said he understood the difficulty any not-for-profit would have in justifying the resources required to assist in a lengthy investigation.

Wright told iTnews it would be unfair to say that Whirlpool or Bulletproof has capitulated to the attacker(s). The investigation would "still be happening" if the DDoS attacks continued, he said.

"If [the attacker] was willing to pursue it, they would leave us no choice," he said. "We can't accept the situation of the site being down. We would have been pushing ahead with an investigation, with every avenue we could think of."

Turner said DDoS attacks are becoming increasingly common, and more Australian organisations need to be frank with their peers and go public after an attack.

"I firmly believe that Australian organisations do need to declare when they have been attacked," he said. "It is really important.

"Security professionals only have access to attack information from vendor reports, which are inherently self-serving. There is very little information to go on in the wider industry.

"If organisations are reasonably confident as to how an attack was orchestrated or who was responsible, they should go to the media," he said.

"They might think that they should keep quiet because they are alone - but that is probably not the case."

For now, the Whirlpool problem is resolved. Wright described Bulletproof's solution as "inspired".

"They did exactly what they should have done," he said. "Bulletproof's first step was and should be to ensure the integrity of their network.

"Whirlpool was the target, we didn't get to go back online straight away, but that's understandable. We had to cop it. I'd still recommend Bulletproof."