The growing threat of DDoS attacks

03 January 2018 | Editorial

Corero Network Security’s customers experienced an average of 237 DDoS attack attempts a month during Q3 2017 – equivalent to eight attack attempts every day, which is almost double the number experienced in Q1 2017, according to its half-yearly DDoS Trends report.

Organisations around the globe have become increasingly dependent on the internet as a means to conduct business, and the internet-connected world has grown more complex due to faster throughput, larger connections, the internet of things (IoT), and public and private clouds. 

Simultaneously, distributed denial of service (DDoS) threats have become more sophisticated and common. Internet reliability can come down to a fraction of a second; since its inception, the internet has been all about availability. When the internet goes down, businesses that rely on that service go down with it, and DDoS attacks are considered one of the most serious threats to internet availability today. Downtime or latency significantly impacts brand reputation and, ultimately, revenue. 

When you combine the frequency and duration of attacks, and the low volume, sub-saturating nature of the threats, victims are faced with a significant security and availability challenge. Automated, real-time mitigation techniques must be in place to eliminate the repercussions of a DDoS attack. This report contains observations from DDoS attack attempts against Corero customers in Q2 2017 and Q3 2017, as well as comparisons with previous quarters. The data represents the frequency and sophistication of DDoS attacks that organisations face today.

TRENDS

Increase in frequency 1 400

We have just passed the first anniversary of what many believe to be one of the largest DDoS attacks recorded. Domain name service provider Dyn came under attack by two large and complex DDoS attacks against its managed DNS infrastructure. Because of the attacks, dozens of internet platforms and services – including major brands such as Twitter, Spotify, Reddit, Netflix and others – felt the significant ripple effect of service outages. 

Since that incident, other various large-scale DDoS attacks have made national or global headline news. However, those large-scale attacks are atypical of the types of disruptions that companies suffer from day to day. Frequent, modest-sized, short duration DDoS attacks are the modern-day problem, as they regularly cause the most damage. It’s these types of attacks on which businesses should focus. 

Corero has observed a jump in the frequency of attack attempts against customers. In Q3 2017, Corero customers experienced an average of 237 attacks a month, an increase of 35% compared with Q2 2017 (175 attacks). Worryingly, Corero saw an average of eight attack attempts per customer per day in Q3 2017 – double what was observed in Q1 2017.

Low volume, short duration attacks

While the frequency of attacks is concerning, the size and duration of attacks are also important to call out. Roughly 96% of mitigated DDoS attacks were less than 5Gbps in volume, in both Q2 and Q3 2017. 

The average duration of DDoS attacks is also cause for concern: 65% of attacks in Q2 2017 lasted 10 minutes or less, and in Q3, 71% were 10 minutes or less.

While attacks lasting five minutes or less make up the majority of the attack attempts, we noticed that attacks lasting 21-30 minutes dropped by 50% (Q1 versus Q3).2 680

Attack types

Corero has observed a wide range of DDoS attack types over the last two quarters. Two distinct attack types stand out:

1. Sophisticated, multi-vector attacks, aimed to deceive and overrun traditional IT security measures made up a significant portion of the attacks observed this year.

2. Service flood attacks aim to saturate the bandwidth target victim, resulting in service outages, downtime and latency.

Cyber-criminals are also switching methods, from simple volumetric attacks to multi-vector DDoS attacks. Modern toolkits can launch both infrastructure-based and application-based DDoS payloads, and attacks include SYN flood, UDP flood, domain name system query flood and GET floods. Attackers are implementing techniques to profile the nature of the target network’s security defences, and using subsequent techniques to implement second or third attacks designed to circumvent an organisation’s layered protection strategy. 

Multi-vector attack attempts are used (figure 1, below left) against Corero customers. We see service flood attacks as shown in figure 2 (below right) comprised TCP or UDP attacks such as SYN flood, ACK flood, reset flood and so on.3 680

INSIGHTS

RDoS 

Ransom denial of service (RDoS) made a significant comeback in Q3 2017. A widespread wave of RDoS threats from the Phantom Squad hacker group kicked off in September. These threats targeted companies throughout the world. This extortion campaign demanded Bitcoin payment, with promise to attack on 30 September unless the demands were met.

Most cyber security solutions focus on recovery from criminal extortion attacks, rather than defeating one. DDoS mitigation technology has evolved to deal with these attacks.4 680

IoT botnets should be a grave concern

IoT devices are usually poorly managed, patched and secured. These connected devices can be harnessed by hackers for a variety of nefarious purposes; in many cases hackers use them to form a botnet to carry out DDoS attacks. The latest IoT botnet plague making headlines is the Reaper botnet. At the time this paper was written (Nov 2017) the botnet was in the recruitment phase, and security experts have yet to see an attack. Its potential scale and power has the ability to create internet chaos and dire results for target victims.5 680

DDoS distraction; data exfiltration

Once a DDoS attack is underway, security personnel are often distracted by the DDoS traffic, which allows hackers to use whatever means at their disposal to penetrate a network or plant ransomware or malware. Such attacks are not designed to deny service, but to deny security, by acting as a camouflage that masks more sinister activities. 

RECOMMENDATIONS

Understand the evolving threat landscape

The sophistication of DDoS attacks continues to evolve, with multivector attacks being used more often than not. These attacks are used to profile existing security solutions and infrastructure, to probe and determine which vectors and techniques will prove successful. These attacks are also sophisticated enough to leave just enough bandwidth available for other cyber-attacks to make their way undetected into the network.

Talk DDoS with your ISP

Organisations that once had DDoS protection projects on the back burner are now re-prioritising their security strategies. This shift in precedence puts increased pressure on internet and cloud providers to enable this protection for their customers, and eliminate DDoS threats closer to the source. Providers are now accepting a greater responsibility for defending their customers and networks against DDoS attacks.  

Real-time threat detection and mitigation

Proactive DDoS protection is a critical element in proper cyber security against loss of service availability and data breach. The everyday DDoS attack cannot be properly defeated with traditional internet gateway security solutions such as firewalls, intrusion prevention systems and the like. Similarly, cloud based DDoS scrubbing alternatives cannot achieve successful mitigation with the low volume, short duration attacks that are impacting organisations every day. Time-to-mitigation must be a critical factor.6 680

Source: Corero DDoS Trends Report, Q2-Q3 2017

Topics: DDoS attack, market trend, wholesale telecoms, cybersecuity, Capacity media