Perimeter
3/23/2015
02:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

When DDoS Isn't All About Massive Disruption

New data shows prevalence of often-undetectable DDoS attacks aimed at quietly wreaking havoc on the network while performing data exfiltration and other attacks.

There's the long-lasting, loud DDoS attack that takes down a website or disrupts a company's network operations, but there's also a stealthier, shorter-burst DDoS meant to fly under the radar while sapping just enough bandwidth or network resources to perform more nefarious activity, like silently stealing information.

That type of DDoS, which doesn't suck massive amounts of bandwidth so may not be easily detectable, is typically just one element of a multi-vector attack: DDoS attacks of under 5 gigabits-per-second at peak and lasting less than 10 minutes represent nearly 80% of the DDoS attack attempts spotted by in-line DDoS prevention vendor Corero Network Security, the company says in a new report published today.

The goal of this short, low-saturation DDoS is typically to bypass security defenses or to consume security logs and to ultimately hide other activity the attackers have under way, says Dave Larson, CTO and vice president of products at Corero.

Corero also found a large number of short-burst DDoS attacks lasting anywhere from 5- to 30 minutes. Some 96% of DDoS attacks against its service provider and enterprise customers' networks lasted less than 30 minutes, and 73%, less than five minutes.

These mini-DDoS attacks shouldn't be confused with low-and-slow attacks against the application layer, such as Slowloris-style ones, Larson says, which are often tailored to for true denial-of-service purposes.

"It's a smokescreen effect," Larson says of the short-burst network DDoS attacks. "If they send [traffic] in short-duration, 3 Gig packet rates [at the most], it's not going to cause service degradation" in a large data center, Larson says. "You might see that class of attack good enough to degrade a firewall or IPS … It might allow a connection to remain open during the attack."

These attacks leave plenty of headroom for attackers to execute an exploit, he says, all under the cover of a quiet DDoS attack. "The victim doesn't even know it occurred because it may not be noticeable."

This brand of DDoS is likely the handiwork of more sophisticated attackers such as nation-state cyberspies, who use it to pilfer sensitive information, he says. "DDoS can be useful to degrade the security perimeter, and this can be sent at a rate that saturates all the logs," he says.

That's not to say the mega-DDoS attacks amassing hundreds of Gbps aren't still alive and kicking, of course. "We see the small and the big attacks," Larson says, because Corero's product sits inline in the network. "Our data doesn't negate" the prevalence of large and long attacks, he says.

But Corero's data, as well as data from recent reports by Arbor Networks and the Akamai PLXsert, show how DDoS attacks are evolving -- and continue to be a popular tool. About half of all enterprises suffered a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar, according to Arbor's 10th Annual Worldwide Infrastructure Security Report, published in January.

Nearly 30% of the DDoS attacks Arbor sees are for hiding data exfiltration or other types of compromises.

Dan Holden, director of Arbor’s security engineering and response team, says a 5Gbps or below attack would be plenty to take down most websites. "That's the type of attack that's the majority of attacks today," he notes.

It's difficult to get a good read on "low-and-slow" network DDoS attacks that are used as part of a bigger attack, he says. Smaller organizations are more likely to suffer with these because they don't have the resources to detect and deflect them, he says.

"DDoS trends go up and down and the change depends on who's being attacked and what the attackers are after," he says. DDoS won't die because it's so inexpensive for the attacker to execute, while expensive for organizations to defend against, he says.

Application-layer attacks, meanwhile, are the scariest, Holden says. The attack surface of a server is large, he notes, and an attacker who wages one of these higher-layer attacks is likely very determined. He points to the wave of DDoS attacks against US banks a couple of years ago, when some bank websites went offline even with help from ISPs scrubbing the network traffic-layer attacks. "There were instances where ISPs were able to scrub volumetric DDoS attacks, but the website still fell because of an application-layer attack," Holden says. "It takes someone who really cares to go after [an organization] to go after the application layer."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

So how can an organization actually defend against nearly invisible DDoS attacks? "The only way to do this is to change your sampling or thresholds so you're looking at lower events of interest" in traditional DDoS products and services, Corero's Larson says.

Another option is to run an inline anti-DDoS tool, which both Corero and Arbor sell.

Meanwhile, companies are getting hit with an average of 3.9 DDoS attack attempts of various size and duration each day, according to Corero's data. One of Corero's customers suffered an average of 12 DDoS attacks per day against its data center infrastructure during a three-month period.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/24/2015 | 1:31:02 PM
Re: Deeper Explanation of Tools
I do not believe there is one, there is no real protection against DDoS. Most DDoS are caused by legitimate traffic and there is no such thing as unlimited resources to avoid it.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/23/2015 | 2:46:47 PM
Deeper Explanation of Tools
Can someone explain in larger detail what an anti-DDoS tool will accomplish? Specifically towards undetectable DDoS around data exfiltration.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.