03 January 2018
Organisations around the globe have become increasingly
dependent on the internet as a means to conduct business, and
the internet-connected world has grown more complex due to
faster throughput, larger connections, the internet of things
(IoT), and public and private clouds.
Simultaneously, distributed denial of service (DDoS) threats
have become more sophisticated and common. Internet reliability
can come down to a fraction of a second; since its inception,
the internet has been all about availability. When the internet
goes down, businesses that rely on that service go down with
it, and DDoS attacks are considered one of the most serious
threats to internet availability today. Downtime or latency
significantly impacts brand reputation and, ultimately,
When you combine the frequency and duration of attacks, and
the low volume, sub-saturating nature of the threats, victims
are faced with a significant security and availability
challenge. Automated, real-time mitigation techniques must be
in place to eliminate the repercussions of a DDoS attack. This
report contains observations from DDoS attack attempts against
Corero customers in Q2 2017 and Q3 2017, as well as comparisons
with previous quarters. The data represents the frequency and
sophistication of DDoS attacks that organisations face
Increase in frequency
We have just passed the first anniversary of what many
believe to be one of the largest DDoS attacks recorded. Domain
name service provider Dyn came under attack by two large and
complex DDoS attacks against its managed DNS infrastructure.
Because of the attacks, dozens of internet platforms and
services – including major brands such as Twitter,
Spotify, Reddit, Netflix and others – felt the
significant ripple effect of service outages.
Since that incident, other various large-scale DDoS attacks
have made national or global headline news. However, those
large-scale attacks are atypical of the types of disruptions
that companies suffer from day to day. Frequent, modest-sized,
short duration DDoS attacks are the modern-day problem, as they
regularly cause the most damage. It’s these types
of attacks on which businesses should focus.
Corero has observed a jump in the frequency of attack
attempts against customers. In Q3 2017, Corero customers
experienced an average of 237 attacks a month, an increase of
35% compared with Q2 2017 (175 attacks). Worryingly, Corero saw
an average of eight attack attempts per customer per day in Q3
2017 – double what was observed in Q1 2017.
Low volume, short duration attacks
While the frequency of attacks is concerning, the size and
duration of attacks are also important to call out. Roughly 96%
of mitigated DDoS attacks were less than 5Gbps in volume, in
both Q2 and Q3 2017.
While attacks lasting five minutes or less make up the
majority of the attack attempts, we noticed that attacks
lasting 21-30 minutes dropped by 50% (Q1 versus Q3).
Corero has observed a wide range of DDoS attack types over
the last two quarters. Two distinct attack types stand out:
1. Sophisticated, multi-vector attacks, aimed to deceive and
overrun traditional IT security measures made up a significant
portion of the attacks observed this year.
2. Service flood attacks aim to saturate the bandwidth
target victim, resulting in service outages, downtime and
Cyber-criminals are also switching methods, from simple
volumetric attacks to multi-vector DDoS attacks. Modern
toolkits can launch both infrastructure-based and
application-based DDoS payloads, and attacks include SYN flood,
UDP flood, domain name system query flood and GET floods.
Attackers are implementing techniques to profile the nature of
the target network’s security defences, and using
subsequent techniques to implement second or third attacks
designed to circumvent an organisation’s layered
Multi-vector attack attempts are used (figure 1, below left)
against Corero customers. We see service flood attacks as shown
in figure 2 (below right) comprised TCP or UDP attacks such as
SYN flood, ACK flood, reset flood and so on.
Ransom denial of service (RDoS) made a significant comeback
in Q3 2017. A widespread wave of RDoS threats from the Phantom
Squad hacker group kicked off in September. These threats
targeted companies throughout the world. This extortion
campaign demanded Bitcoin payment, with promise to attack on 30
September unless the demands were met.
Most cyber security solutions focus on recovery from
criminal extortion attacks, rather than defeating one. DDoS
mitigation technology has evolved to deal with these
IoT botnets should be a grave concern
IoT devices are usually poorly managed, patched and secured.
These connected devices can be harnessed by hackers for a
variety of nefarious purposes; in many cases hackers use them
to form a botnet to carry out DDoS attacks. The latest IoT
botnet plague making headlines is the Reaper botnet. At the
time this paper was written (Nov 2017) the botnet was in the
recruitment phase, and security experts have yet to see an
attack. Its potential scale and power has the ability to create
internet chaos and dire results for target victims.
DDoS distraction; data exfiltration
Once a DDoS attack is underway, security personnel are often
distracted by the DDoS traffic, which allows hackers to use
whatever means at their disposal to penetrate a network or
plant ransomware or malware. Such attacks are not designed to
deny service, but to deny security, by acting as a camouflage
that masks more sinister activities.
Understand the evolving threat
The sophistication of DDoS attacks continues to evolve, with
multivector attacks being used more often than not. These
attacks are used to profile existing security solutions and
infrastructure, to probe and determine which vectors and
techniques will prove successful. These attacks are also
sophisticated enough to leave just enough bandwidth available
for other cyber-attacks to make their way undetected into the
Talk DDoS with your ISP
Organisations that once had DDoS protection projects on the
back burner are now re-prioritising their security strategies.
This shift in precedence puts increased pressure on internet
and cloud providers to enable this protection for their
customers, and eliminate DDoS threats closer to the source.
Providers are now accepting a greater responsibility for
defending their customers and networks against DDoS
Real-time threat detection and
Proactive DDoS protection is a critical element in proper
cyber security against loss of service availability and data
breach. The everyday DDoS attack cannot be properly defeated
with traditional internet gateway security solutions such as
firewalls, intrusion prevention systems and the like.
Similarly, cloud based DDoS scrubbing alternatives cannot
achieve successful mitigation with the low volume, short
duration attacks that are impacting organisations every day.
Time-to-mitigation must be a critical factor.
Source: Corero DDoS Trends Report, Q2-Q3 2017