Short, low-volume DDoS attacks pose greatest security and availability threat to businesses
How can your organisation defend against constant DDoS attacks?
Think what you can’t see can’t hurt you? A new report from Corero Network Security has shown that, when it comes to DDoS attacks, this is definitely not the case. The report suggests that the barrage of short, low volume DDoS attacks – which often go undetected by IT security staff and many DDoS protection systems – are in fact, the greatest DDoS risk for organisations, because they frequently go undetected and often mask more serious network intrusions.
According to the DDoS Trends and Analysis Report, these short, stealth DDoS attacks are often used to disrupt and distract network operators. Typically less than 10Gbps in volume and less than 10 minutes in duration, these sub-saturating attacks are capable of knocking a firewall or intrusion prevention system (IPS) offline so that hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity. These hidden motives have led Corero to describe this type of attack as “Trojan Horse” DDoS.
Stephanie Weagle, VP at Corero Network Security discusses the key findings from the report below, and what the increased frequency and sophistication of DDoS attacks means for organisations trying to defend against today’s evolving cyber threat landscape.
What were the findings from your latest DDoS Trends report?
“The research shows that short, frequent, low-volume DDoS attacks continue to be the norm. Despite several headline-dominating, high-volume DDoS attacks over the past year, the majority (80%) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 1Gbps per second in volume. In addition, almost three quarters (71%) of the attacks mitigated by Corero lasted 10 minutes or less.
In total, Corero customers experienced an average of 124 DDoS attack attempts per month, equivalent to 4.1 attacks per day during Q1 of 2017. This is a 9 percent increase in attacks over Q4 2016.”
Since last year’s attacks on Krebs on Security and Dyn, have we entered a quiet phase in terms of DDoS attacks?
“As the research shows, DDoS attacks are by no means slowing down. The DDoS incidents that are experienced on a daily basis are the short, low volume attacks—just because these attacks aren’t making the evening news, does not mean that they don’t occur. “
Why are these short, sub-saturating denial-of-service attacks so dangerous?
“The Internet of Things (IoT) introduced a host of opportunities for DDoS hackers as these devices hold the potential for extremely large botnets. Corero has identified a 55% increase in large DDoS attacks of more than 10Gb per second, in the first quarter of 2017, compared to the previous quarter. However, low-volume, short duration DDoS attacks can also be dangerous. Our report discovered that 73% of attacks in Q4 2016 and 71% of Q1 2017 lasted 10 minutes or less. These attacks can be a smokescreen, designed not to outright deny service but to distract from an alternative motive, usually data theft and network infiltration. This allows hackers to perfect their attack techniques while remaining under the radar. In addition to service outages, latency and downtime, short attacks allow cyber criminals to test for vulnerabilities within a network.”
Why would hackers choose to inflict these short attacks, rather than to cause large-scale outages?
“These smaller, shorter attacks typically evade detection by most legacy and homegrown DDoS mitigation tools, which are generally configured with detection thresholds that ignore this level of activity. This allows hackers to perfect their attack techniques while remaining under the radar, leaving security teams blindsided by subsequent attacks.”
Can you give any examples of these kind of attacks inflicting serious damage?
“Luckily for Corero customers, dealing with the repercussions of DDoS is a non-issue. Attacks are mitigated instantaneously, and good user traffic continues to flow and reach its destination as intended. Outside of the Corero customer base, some widely publicized attacks that led to data breach activity include TalkTalk and Carphone Warehouse.”
Which are the sectors or organisations that are most at risk of attacks?
“The reality is that any business that relies on the Internet to conduct business is at risk of a DDoS attack. But service providers in particular will find themselves at an important crossroads in the near future, as pressure builds from both customers’ and governments’ sides regarding their responsibilities when it comes to protecting their customers. That said, ISP’s and hosting providers can take advantage of the DDoS opportunity to not only protect existing infrastructure and assets, but also roll out profitable and effective DDoS protection services.”
Do these kinds of attacks represent an additional risk for organisations preparing for GDPR?
“GDPR is the hot buzz word heard around the cyber security industry lately. The risk of data theft resulting from sub-saturating DDoS attacks is extremely serious, and claiming to be ignorant of malicious activity on your network will not substitute a defence. To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it’s essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.”
How can businesses best defend themselves against the latest DDoS attacks?
“The combination of the size, frequency and duration of modern attacks represent a serious security and availability challenge for victims. Minutes or even tens of minutes of downtime or latency significantly impacts brand reputation and, ultimately, revenue generation. When you combine the size, frequency and duration of attacks, and the low volume sub-saturating nature of the threats; victims are faced with a significant security and availability challenge.
“Today’s DDoS attacks are almost unrecognizable from the early days of attacks, when most were simple, volumetric attacks intended to cause embarrassment and brief disruption. Nowadays, the motives behind attacks are increasingly unclear and the techniques are becoming ever-more complex. This is particularly true in light of automated attacks, which allow attackers to switch attack vectors faster than any human can respond.
“To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it’s essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise. Automated, real-time mitigation techniques must be in place to eliminate the repercussions of the full spectrum of today’s DDoS attacks.”