Attacks/Breaches
10/16/2013
05:30 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

DDoS Attacks Grow Shorter But Pack More Punch

DDoS attack sizes are rising even as the duration of the attacks grows shorter, according to Arbor Networks

If there was ever a riddle asking the listener to name something that has become bigger and shorter at the same time, distributed denial-of-service attacks (DDoS) would be an acceptable answer.

According to a new report from Arbor Networks about the third quarter of 2013, the average attack size now stands at 2.64 Gbps for the year, an increase of 78 percent from 2012. The number of attacks monitored by the firm that are more than 20 Gbps experienced massive growth, to the tune of a 350 percent increase so far this year.

Meanwhile, the length of the vast majority of attacks (87 percent) has gone down to less than an hour.

"Shorter duration attacks are not inherently harder to detect, but they can be harder to mitigate," says Gary Sockrider, solutions architect for the Americas, Arbor Networks. "Many organizations today rely on network- or cloud-based mitigation of DDoS attacks. Because they rely on rerouting attack traffic to scrubbing centers, there is a small delay in mitigation while routing or domain name changes propagate.

"Ideally you want to have mitigation capabilities on your own network that can react immediately without the need for redirection. I think it's safe to say that if you have absolutely no mitigation capabilities, then shorter attacks are better. However, if your only protection has inherent delays, then shorter attacks potentially cannot be stopped."

Barrett Lyon, founder of DDoS mitigation firm Prolexic Technologies and now CTO of Defense.net, says that shorter DDoS attacks also have the added benefit of minimizing an attacker's exposure.

"The longer it runs, the more things are obviously clogged up and the more reactive network engineers become," he observes. "When network engineers start researching a problem like that -- congestion in their network or why is this computer slow -- it exposes the botnet and makes it much vulnerable than it would be otherwise. So if it's a short attack but big, [attackers] can kind of quickly see and size up their target. They can quickly determine ... what's the best bang for the buck when it comes to attacking."

A clear trend of increasing attack sizes has emerged during the past several years, Sockrider says.

"I believe there [is] a combination of factors enabling this trend," he says. "First, there is increased availability of simple-to-use tools for carrying out attacks with little skill or knowledge. Second, there is a growing proliferation of DDoS-for-hire services that are quite inexpensive. Third, increasingly powerful workstations and servers that get compromised also have significantly faster connections to the Internet from which to generate attacks."

The largest monitored and verified attack size during the quarter was 191 Gbps, according to the firm. Fifty-four percent of attacks this year are more than 1 Gbps, up from 33 percent in 2012. Some 37 percent so far this year are between 2 Gbps and 10 Gbps.

Another general trend is of attacks moving to the application layer. In fact, while volumetric attacks are still common, they are now frequently combined with application-layer and state exhaustion attacks, Sockrider says.

In some cases, DDoS attacks have served as diversions meant to draw attention from other activities, such as bank fraud. For example, a report published in April by Dell SecureWorks noted how DDoS attacks were launched after fraudulent wire and automatic clearing house (ACH) transfers.

"Most people that follow DDoS trends are aware of the really high-profile attacks against government and financial institutions, but in reality the most common targets are actually business and e-commerce sites," Sockrider says. "We're also seeing increased attacks in the online gaming industry, where attacks are waged for competitive advantage. Additionally, some organizations are taking collateral damage because they reside in a data center, and they happen to share infrastructure with a high-profile target. The bottom line is that in the current environment, every organization is a potential target."

*This story was updated with additional commentary.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/18/2013 | 12:21:36 AM
re: DDoS Attacks Grow Shorter But Pack More Punch
Is the shortening length of an attack a result of mitigation techniques, or because the attackers themselves stop the attack?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web