DDoS Attacks Grow Shorter But Pack More Punch
DDoS attack sizes are rising even as the duration of the attacks grows shorter, according to Arbor Networks
If there was ever a riddle asking the listener to name something that has become bigger and shorter at the same time, distributed denial-of-service attacks (DDoS) would be an acceptable answer.
According to a new report from Arbor Networks about the third quarter of 2013, the average attack size now stands at 2.64 Gbps for the year, an increase of 78 percent from 2012. The number of attacks monitored by the firm that are more than 20 Gbps experienced massive growth, to the tune of a 350 percent increase so far this year.
More Security Insights
White PapersMore >>
- Agile Service Desk: Keeping Pace or Getting out Paced by New Technology?
- Inside Threats: Is Your Company at Risk?
Meanwhile, the length of the vast majority of attacks (87 percent) has gone down to less than an hour.
"Shorter duration attacks are not inherently harder to detect, but they can be harder to mitigate," says Gary Sockrider, solutions architect for the Americas, Arbor Networks. "Many organizations today rely on network- or cloud-based mitigation of DDoS attacks. Because they rely on rerouting attack traffic to scrubbing centers, there is a small delay in mitigation while routing or domain name changes propagate.
"Ideally you want to have mitigation capabilities on your own network that can react immediately without the need for redirection. I think it's safe to say that if you have absolutely no mitigation capabilities, then shorter attacks are better. However, if your only protection has inherent delays, then shorter attacks potentially cannot be stopped."
Barrett Lyon, founder of DDoS mitigation firm Prolexic Technologies and now CTO of Defense.net, says that shorter DDoS attacks also have the added benefit of minimizing an attacker's exposure.
"The longer it runs, the more things are obviously clogged up and the more reactive network engineers become," he observes. "When network engineers start researching a problem like that -- congestion in their network or why is this computer slow -- it exposes the botnet and makes it much vulnerable than it would be otherwise. So if it's a short attack but big, [attackers] can kind of quickly see and size up their target. They can quickly determine ... what's the best bang for the buck when it comes to attacking."
A clear trend of increasing attack sizes has emerged during the past several years, Sockrider says.
"I believe there [is] a combination of factors enabling this trend," he says. "First, there is increased availability of simple-to-use tools for carrying out attacks with little skill or knowledge. Second, there is a growing proliferation of DDoS-for-hire services that are quite inexpensive. Third, increasingly powerful workstations and servers that get compromised also have significantly faster connections to the Internet from which to generate attacks."
The largest monitored and verified attack size during the quarter was 191 Gbps, according to the firm. Fifty-four percent of attacks this year are more than 1 Gbps, up from 33 percent in 2012. Some 37 percent so far this year are between 2 Gbps and 10 Gbps.
Another general trend is of attacks moving to the application layer. In fact, while volumetric attacks are still common, they are now frequently combined with application-layer and state exhaustion attacks, Sockrider says.
In some cases, DDoS attacks have served as diversions meant to draw attention from other activities, such as bank fraud. For example, a report published in April by Dell SecureWorks noted how DDoS attacks were launched after fraudulent wire and automatic clearing house (ACH) transfers.
"Most people that follow DDoS trends are aware of the really high-profile attacks against government and financial institutions, but in reality the most common targets are actually business and e-commerce sites," Sockrider says. "We're also seeing increased attacks in the online gaming industry, where attacks are waged for competitive advantage. Additionally, some organizations are taking collateral damage because they reside in a data center, and they happen to share infrastructure with a high-profile target. The bottom line is that in the current environment, every organization is a potential target."
*This story was updated with additional commentary.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message