02:15 PM
Connect Directly

When DDoS Isn't All About Massive Disruption

New data shows prevalence of often-undetectable DDoS attacks aimed at quietly wreaking havoc on the network while performing data exfiltration and other attacks.

There's the long-lasting, loud DDoS attack that takes down a website or disrupts a company's network operations, but there's also a stealthier, shorter-burst DDoS meant to fly under the radar while sapping just enough bandwidth or network resources to perform more nefarious activity, like silently stealing information.

That type of DDoS, which doesn't suck massive amounts of bandwidth so may not be easily detectable, is typically just one element of a multi-vector attack: DDoS attacks of under 5 gigabits-per-second at peak and lasting less than 10 minutes represent nearly 80% of the DDoS attack attempts spotted by in-line DDoS prevention vendor Corero Network Security, the company says in a new report published today.

The goal of this short, low-saturation DDoS is typically to bypass security defenses or to consume security logs and to ultimately hide other activity the attackers have under way, says Dave Larson, CTO and vice president of products at Corero.

Corero also found a large number of short-burst DDoS attacks lasting anywhere from 5- to 30 minutes. Some 96% of DDoS attacks against its service provider and enterprise customers' networks lasted less than 30 minutes, and 73%, less than five minutes.

These mini-DDoS attacks shouldn't be confused with low-and-slow attacks against the application layer, such as Slowloris-style ones, Larson says, which are often tailored to for true denial-of-service purposes.

"It's a smokescreen effect," Larson says of the short-burst network DDoS attacks. "If they send [traffic] in short-duration, 3 Gig packet rates [at the most], it's not going to cause service degradation" in a large data center, Larson says. "You might see that class of attack good enough to degrade a firewall or IPS … It might allow a connection to remain open during the attack."

These attacks leave plenty of headroom for attackers to execute an exploit, he says, all under the cover of a quiet DDoS attack. "The victim doesn't even know it occurred because it may not be noticeable."

This brand of DDoS is likely the handiwork of more sophisticated attackers such as nation-state cyberspies, who use it to pilfer sensitive information, he says. "DDoS can be useful to degrade the security perimeter, and this can be sent at a rate that saturates all the logs," he says.

That's not to say the mega-DDoS attacks amassing hundreds of Gbps aren't still alive and kicking, of course. "We see the small and the big attacks," Larson says, because Corero's product sits inline in the network. "Our data doesn't negate" the prevalence of large and long attacks, he says.

But Corero's data, as well as data from recent reports by Arbor Networks and the Akamai PLXsert, show how DDoS attacks are evolving -- and continue to be a popular tool. About half of all enterprises suffered a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar, according to Arbor's 10th Annual Worldwide Infrastructure Security Report, published in January.

Nearly 30% of the DDoS attacks Arbor sees are for hiding data exfiltration or other types of compromises.

Dan Holden, director of Arbor’s security engineering and response team, says a 5Gbps or below attack would be plenty to take down most websites. "That's the type of attack that's the majority of attacks today," he notes.

It's difficult to get a good read on "low-and-slow" network DDoS attacks that are used as part of a bigger attack, he says. Smaller organizations are more likely to suffer with these because they don't have the resources to detect and deflect them, he says.

"DDoS trends go up and down and the change depends on who's being attacked and what the attackers are after," he says. DDoS won't die because it's so inexpensive for the attacker to execute, while expensive for organizations to defend against, he says.

Application-layer attacks, meanwhile, are the scariest, Holden says. The attack surface of a server is large, he notes, and an attacker who wages one of these higher-layer attacks is likely very determined. He points to the wave of DDoS attacks against US banks a couple of years ago, when some bank websites went offline even with help from ISPs scrubbing the network traffic-layer attacks. "There were instances where ISPs were able to scrub volumetric DDoS attacks, but the website still fell because of an application-layer attack," Holden says. "It takes someone who really cares to go after [an organization] to go after the application layer."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

So how can an organization actually defend against nearly invisible DDoS attacks? "The only way to do this is to change your sampling or thresholds so you're looking at lower events of interest" in traditional DDoS products and services, Corero's Larson says.

Another option is to run an inline anti-DDoS tool, which both Corero and Arbor sell.

Meanwhile, companies are getting hit with an average of 3.9 DDoS attack attempts of various size and duration each day, according to Corero's data. One of Corero's customers suffered an average of 12 DDoS attacks per day against its data center infrastructure during a three-month period.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/24/2015 | 1:31:02 PM
Re: Deeper Explanation of Tools
I do not believe there is one, there is no real protection against DDoS. Most DDoS are caused by legitimate traffic and there is no such thing as unlimited resources to avoid it.
User Rank: Ninja
3/23/2015 | 2:46:47 PM
Deeper Explanation of Tools
Can someone explain in larger detail what an anti-DDoS tool will accomplish? Specifically towards undetectable DDoS around data exfiltration.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.