DDoS Attacks Trend in a Bad Direction

DDoS attacks are beginning to hit harder and score higher. The frequency of attacks is dramatically increasing, attack vectors are alternating and -- most importantly -- they're being used strategically by hackers as a distraction from more penetrating attacks that carry greater business risk.

Our "friend" DDoS has blown through teenage years and is suddenly all grown-up. DDoS-for-hire services are becoming more common, more readily accessible, and less expensive. Attacks are now campaigns that lead with denial of service, or even Ransom Denial of Service (RDoS), but which terminate with a ruthless efficiency determined to distract threat detection from malware and thereby cause deeper wounds from an enterprise vulnerability perspective.

"Anyone can access these services, and for short money, execute a DDoS campaign," Stephanie Weagle, vice president of Corero Network Security, told SecurityNow. "There is no coding or sophisticated technical knowledge required. The motivations are wide raging -- political, hacktivism, extortion, cyber warfare, and even more simply, notoriety. Coupled with the ease of accessing DDoS-for-hire services, there is really no limit to this threat."

According to the DDoS and Internet availability specialist, the rate of DDoS attacks has doubled in the last six months, with eight attacks a day versus four at the beginning of the year. With a 35% increase in attacks per quarter this year, the worrying stat in Corero's latest report is that there's an accompanying rise of about 70% in attacks that last less than ten minutes.

More effective attacks
New high frequency, low volume attacks are so quick that they will stress teams already freaked out by the risk of mass outage damage which still occurs through regular DDoS. Business losses as such are subjective and vary, but it's the success rate of these new hit-and-run tactics that will cause alarm.

"With the average attack lasting less than ten minutes in duration, [an enterprise's] proactive mitigation tools must be able to detect and mitigate instantly," said Weagle. "Low volume, short duration, frequent attacks don't leave any room for human intervention, or [even] a prompt to swing bad traffic to cloud scrubbing operations. Further, neither an intrusion prevention system nor a firewall will protect you."

Effectively, when a firewall threshold limit is reached, every application and every ID using that port gets blocked, causing an outage. Bad actors know this is efficacious when blocking both good users along with attackers, because network and application availability is affected.

More frequent risks
DDoS is becoming the Red Herring and beachhead of more sophisticated, more penetrative attacks. "Once a DDoS attack is underway, security personnel are often distracted by the DDoS traffic," said Weagle, "These attacks act as a diversion tactic, distracting IT teams from the breach that's taking place, which could involve data being exfiltrated, networks being mapped for vulnerabilities, or a whole host of other potential risks."

Alongside the proliferation of DDoS-for-hire services which widen attack options to -- exceptionally -- those with no technical knowledge, attacks are being packaged and therefore usage accelerated, allowing agents to purchase, then "push the green button" and watch the results. "This is particularly true in light of automated attacks, which allow attackers to switch vectors faster than any human or traditional IT security solution can respond," said Weagle.

In fact, anyone needing a DDoS service need only seemingly outstretch their shopping cart. DDoS-for-hire services have numerically increased and also matured to the point where they're commercialized, are available via mobile platforms, and even offer discount schemes and loyalty points.

The dawn of RDos
Corero's customers have reported a negative trend in the last two quarters, where two brutal attacks have been observed for the first time. One is a sophisticated multi-vector attack, aimed to deceive and overrun traditional IT security measures. In other words, an attack that occupies resources while the critical attack comes in through the side door. Second are crippling service flood attacks which consume bandwidth at the target, resulting in service outages, downtime and latency; it turns a sprint to secure the enterprise into a three-legged race.

Right now, DDoS proficients will not always launch an attack. They may run a ransom threat in advance of an attack in the hopes of an easy dollar. That's a powerful financial leveraging of a threat considering that a tough DDoS attack can be launched through a for-hire organization for as little as $100. As usual with ransom, it's a numbers game but even so, some enterprises must be tempted to pay up in the face of an unknown DDoS attack magnitude.

"Forget the ransom, implement a layered defense strategy with dedicated DDoS mitigation technology," said Weagle.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now