07:40 PM
Connect Directly

Más DDoS: More Powerful, Complex, And Widespread

New DDoS reports highlight evolving M.O. of DDoS and DoS attacks and increased firepower

Three DDoS reports published this week reveal how more powerful attacks are becoming the norm, that hacktivism is the main inspiration now rather than extortion -- and anyone can be a victim, not just high-profile organizations.

Arbor Networks, Radware, and Prolexic each released reports detailing trends and data in distributed denial-of-service (DDoS) and regular denial-of-service (DoS) attacks. Among the trends in these often-debilitating attacks on a victim's network infrastructure, website, or other application-layer services is that the impetus for these attacks now is more about hacktivism and vandalism versus extortion -- an old-school motivation -- and no one is immune from becoming a target.

"It was stunning to us what motivated these DDoS attacks," says Roland Dobbins, solutions architect at Arbor and one of the authors of Arbor's "World Wide Infrastructure Security Report for 2011." "It was a surprise to us, but at the same time it jives with our individual experiences and working with service providers around the world. About half the DDoS attacks I personally helped defend against were ideologically motivated."

Dobbins says this is a game-changer. "This really alters the threat landscape for any organization that's Internet-connected. If anyone has a political or ideological ax to grind against an organization or the country where they are headquartered," they are at risk, he says.

Radware's "2011 Global Application and Network Security Report" echoed some of the same findings about DDoS and DoS attacks in that hacktivists were the main perpetrators, with 22 percent of attacks; 12 percent were angry users; 7 percent, a competitor; and 4 percent, extortion. Half of the attacked organizations surveyed by Radware didn't know why they were targeted.

Arbor also found that attackers now have so much firepower that high-volume attacks are no longer a rarity. DDoS attacks in the 10-Gbps range were up, with 13 percent reporting them, and 25 percent of victims say they were hit by attacks that outpaced the total bandwidth of their data center.

"10-Gbps and under attacks are no longer very rare -- they are very commonplace," Dobbins says. "And the broader deployment of [anti-] DDoS technologies [by organizations] is causing attackers to up their game, so it's an arms race.

Prolexic's "Quarterly Attack Report for Q4 2011" also shows a marked increase in more powerful DDoS attacks. The average attack bandwidth in the fourth quarter was 5.2 Gbps, up from 2.1 Gbps in the third quarter; that's an increase of 148 percent, according to Prolexic. Average attack bandwidth jumped 136 percent last year to 2.6 Gbps versus 1.1 Gbps in 2010.

But size doesn't always matter. Radware's report says most organizations don't suffer from catastrophic DDoS attacks: Smaller, less powerful ones can cause more damage with less bandwidth. Some 76 percent of attacks in its survey came in at under 1 Gbps, with 32 percent less than 10 megabits-per-second, and nine percent more than 10 Gbps.

Meanwhile, application-layer attacks are on the upswing. "There is a rise in the sophistication and prevalence of application-layer attacks," Arbor's Dobbins says. "Attackers are not just launching high-bandwidth, high-packet-based attacks. They are doing research and figuring out how to [attack] the app running on the server ... causing websites to fall over."

According to Radware, 56 percent of DoS-type attacks last year went after applications, and 46 percent, the network. Financial services was hit the most, with 28 percent of the attacks, followed by government (25 percent) and gaming sites (25 percent).

Attackers aren't just going after one specific application or HTTP. They are mixing two or more vectors, such as HTTP, SMTP, HTTPS, DNS, SNMP, and IRC, according to Arbor's Dobbins.

Some attacks used up to five different attack vectors in a campaign, according to Radware. And the big bandwidth-sized attacks aren't necessarily the most damaging. A smaller HTTP attack can do more damage than a massive UDP flood attack.

And Prolexic saw shorter attack intervals. "We have seen a trend toward shorter overall attack duration, but with unprecedented high packet-per-second volume and lethal attack signatures,” says Paul Sop, chief technology officer at Prolexic. "This is a devastating cocktail that can quickly bring down even well-protected sites and their mitigation providers. We are starting to see packet-per-second attack volumes that are simply off the charts.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/24/2012 | 2:08:06 AM
re: Más DDoS: More Powerful, Complex, And Widespread
Ideological attacks are not going to stop anytime soon. DDoS is viewed by many as a legitimate protest tactic.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
User Rank: Apprentice
2/21/2012 | 5:11:41 AM
re: Más DDoS: More Powerful, Complex, And Widespread
Attacking not depends upon the-á-áspecific application or HTTP. They are mixing two or more vectors, such as HTTP, SMTP, HTTPS, DNS, SNMP, and IRC.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.