Perimeter
3/23/2015
02:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

When DDoS Isn't All About Massive Disruption

New data shows prevalence of often-undetectable DDoS attacks aimed at quietly wreaking havoc on the network while performing data exfiltration and other attacks.

There's the long-lasting, loud DDoS attack that takes down a website or disrupts a company's network operations, but there's also a stealthier, shorter-burst DDoS meant to fly under the radar while sapping just enough bandwidth or network resources to perform more nefarious activity, like silently stealing information.

That type of DDoS, which doesn't suck massive amounts of bandwidth so may not be easily detectable, is typically just one element of a multi-vector attack: DDoS attacks of under 5 gigabits-per-second at peak and lasting less than 10 minutes represent nearly 80% of the DDoS attack attempts spotted by in-line DDoS prevention vendor Corero Network Security, the company says in a new report published today.

The goal of this short, low-saturation DDoS is typically to bypass security defenses or to consume security logs and to ultimately hide other activity the attackers have under way, says Dave Larson, CTO and vice president of products at Corero.

Corero also found a large number of short-burst DDoS attacks lasting anywhere from 5- to 30 minutes. Some 96% of DDoS attacks against its service provider and enterprise customers' networks lasted less than 30 minutes, and 73%, less than five minutes.

These mini-DDoS attacks shouldn't be confused with low-and-slow attacks against the application layer, such as Slowloris-style ones, Larson says, which are often tailored to for true denial-of-service purposes.

"It's a smokescreen effect," Larson says of the short-burst network DDoS attacks. "If they send [traffic] in short-duration, 3 Gig packet rates [at the most], it's not going to cause service degradation" in a large data center, Larson says. "You might see that class of attack good enough to degrade a firewall or IPS … It might allow a connection to remain open during the attack."

These attacks leave plenty of headroom for attackers to execute an exploit, he says, all under the cover of a quiet DDoS attack. "The victim doesn't even know it occurred because it may not be noticeable."

This brand of DDoS is likely the handiwork of more sophisticated attackers such as nation-state cyberspies, who use it to pilfer sensitive information, he says. "DDoS can be useful to degrade the security perimeter, and this can be sent at a rate that saturates all the logs," he says.

That's not to say the mega-DDoS attacks amassing hundreds of Gbps aren't still alive and kicking, of course. "We see the small and the big attacks," Larson says, because Corero's product sits inline in the network. "Our data doesn't negate" the prevalence of large and long attacks, he says.

But Corero's data, as well as data from recent reports by Arbor Networks and the Akamai PLXsert, show how DDoS attacks are evolving -- and continue to be a popular tool. About half of all enterprises suffered a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar, according to Arbor's 10th Annual Worldwide Infrastructure Security Report, published in January.

Nearly 30% of the DDoS attacks Arbor sees are for hiding data exfiltration or other types of compromises.

Dan Holden, director of Arbor’s security engineering and response team, says a 5Gbps or below attack would be plenty to take down most websites. "That's the type of attack that's the majority of attacks today," he notes.

It's difficult to get a good read on "low-and-slow" network DDoS attacks that are used as part of a bigger attack, he says. Smaller organizations are more likely to suffer with these because they don't have the resources to detect and deflect them, he says.

"DDoS trends go up and down and the change depends on who's being attacked and what the attackers are after," he says. DDoS won't die because it's so inexpensive for the attacker to execute, while expensive for organizations to defend against, he says.

Application-layer attacks, meanwhile, are the scariest, Holden says. The attack surface of a server is large, he notes, and an attacker who wages one of these higher-layer attacks is likely very determined. He points to the wave of DDoS attacks against US banks a couple of years ago, when some bank websites went offline even with help from ISPs scrubbing the network traffic-layer attacks. "There were instances where ISPs were able to scrub volumetric DDoS attacks, but the website still fell because of an application-layer attack," Holden says. "It takes someone who really cares to go after [an organization] to go after the application layer."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

So how can an organization actually defend against nearly invisible DDoS attacks? "The only way to do this is to change your sampling or thresholds so you're looking at lower events of interest" in traditional DDoS products and services, Corero's Larson says.

Another option is to run an inline anti-DDoS tool, which both Corero and Arbor sell.

Meanwhile, companies are getting hit with an average of 3.9 DDoS attack attempts of various size and duration each day, according to Corero's data. One of Corero's customers suffered an average of 12 DDoS attacks per day against its data center infrastructure during a three-month period.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/24/2015 | 1:31:02 PM
Re: Deeper Explanation of Tools
I do not believe there is one, there is no real protection against DDoS. Most DDoS are caused by legitimate traffic and there is no such thing as unlimited resources to avoid it.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/23/2015 | 2:46:47 PM
Deeper Explanation of Tools
Can someone explain in larger detail what an anti-DDoS tool will accomplish? Specifically towards undetectable DDoS around data exfiltration.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.