Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Hit-And-Run Tactics Fuel Growth In DDoS Attacks

A majority of organizations in Imperva DDoS study suffer multiple consecutive attacks.

Many threat actors behind distributed denial of service (DDoS) attacks against enterprises appear to be increasingly employing hit-and-run tactics to make their campaigns more effective.

Security firm Imperva recently analyzed data collected from its customers while mitigating DDoS attacks on their networks between April 2015 and March 2016. The data showed a 211% increase year over year in the number of DDoS attacks directed against its customers. On average, Imperva mitigated about 445 DDoS attacks per week over the one-year period.

At least some of the growth in the number of DDoS attacks recorded by Imperva had to do with the increased use of hit-and-run tactics by threat actors. These are attacks where a single assault is executed in multiple smaller and consecutive attack-bursts, according to Imperva.

The goal in using the tactic appears to be to exhaust mitigation teams by keeping them on high alert status for prolonged periods of time. Attackers could also be employing the tactic to confuse mitigation teams and divert attention away from other, more surreptitious malicious activity directed against their networks, Imperva said in its report.

More than 40% of the DDoS victims that Imperva counted last year in fact were attacked more than one time. About 16% were targeted at least five times or more. A comparison of DDoS data from the four quarters that Imperva inspected showed a gradual uptick in the use of such hit-and run tactics, the company noted.

“We have been seeing hit-and-run attacks for the last four quarters,” says Tim Matthews, vice president of marketing at Imperva. “They are really an evolution of multi-vector attacks, where criminals realize that large frontal attacks alone may no longer be successful.” 

The increased use of DDoS-for-hire services also contributed to the overall uptick in DDoS attacks last year, according to Imperva. The number of attackers using paid “booters” or “stressers” to direct DDoS traffic against specific targets jumped from around 64% in the second quarter of last year to 93% in Q1 2016.

With some booter services starting at just $5 for a minute-long attack, many of those engaged in such activity are likely non-professionals, Imperva said in its report.

The biggest impact for enterprises from such attacks is potential revenue loss, Matthews says. “This is especially pronounced for companies that depend on uptime for revenue, notably gaming and ecommerce companies,” he says.

In addition to an increase in overall numbers, DDoS attacks also increased in size.

Many of the network-layer attacks that Imperva handled for customers last year exceeded 200 Gbps, with one even exceeding a massive 470 Gbps in size. That attack is the largest that Imperva has seen to date, according to Matthews. Attackers often used small network packets to maximize packet forwarding rates and throughput capacity.

In terms of sheer number, however, application-layer assaults accounted for 60% of all DDoS attacks that Imperva mitigated last year.  

“Attackers are continuing to evolve,” Matthews says. “The sophistication of attacks, and the targeting of applications rather than networks, means that simple mitigation techniques that used to work – like configuring routers or firewalls to block attacks – are likely not working, and may offer a false sense of security.”

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2016 | 4:17:12 AM
DDoS Attacks

DDoS Attacks is terrible for a young startup..thank you for your tips ! 

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).