Quick Hits

No Sign Of DDoSes Diminishing

Application-layer DDoS attacks decline for the first time last quarter, but "slow and low" attacks gaining ground
The total number of distributed denial-of-service (DDoS) attacks jumped by 10 percent in the second quarter, but application-layer DDoS attacks dropped for the first time in a while, by 8 percent, a new report found.

Application-layer attacks, which operate at HTTP and other application-layer protocols, account for nearly 20 percent of all DDoS attacks and had enjoyed a spike in the past three quarters, according to Prolexic Technologies, which released its newest data today.

Why the decline? "There are a couple of possible reasons for this, but no definitive answer," says Paul Sop, senior DDoS analyst with Prolexic, a cloud-based DDoS mitigation provider.

One possibility is the growth in attack tools for infrastructure-level attacks, he says, which may have skewed the numbers a bit toward those attacks. Another is that it's a survival tactic: "Second, Layer 7 attacks expose the IP address of the attacking botnet, which increases the risk of detection and eventual takedown. As a result, it appears that attackers used more Layer 3 and Layer 4 attacks this quarter so they would not risk their botnets being exposed," Sop says.

The catch, too, is that once attackers discover that Prolexic is repelling attacks against its customers, they may be curtailing their attacks sooner or "saving Layer 7 attacks for last," he says.

Akamai, meanwhile, says DDoS attacks have jumped 2,000 percent over the past three years. The security firm is also witnessing a trend toward more stealthy application-layer attacks. Attackers are not blasting the high-volume attacks they used to perform aimed at sapping bandwidth, notes Martin McKeay, a security evangelist with Akamai. "We're seeing volumetric attacks on the decline: DDoSes are not as big as they used to be, and more are being moved up the stack," McKeay says. "There are more attacks that are based on resource exhaustion, like a Slowloris-type attack, trying to use the resources of a Web server and take you down that way."

McKeay says the "low and slow" attacks are tougher to track and detect, so they can be more effective because they have more staying power. "The RBN [Russian Business Network] is learning what's effective. We and our competitors can deal with volumetric attacks relatively easily, or at least effectively," he says, so the attackers are moving to different methods, including targeting DNS servers.

"If you can make a stock transaction and bring down the servers behind you," it can be very effective, he says.

Application/Layer 7 DDoS attacks tend to be the handiwork of skilled and experienced attackers, notes Prolexic's Sop. "Often, attackers will move to Layer 7 if Layer 3 and 4 volumetric attacks are not working. Many mitigation services can deal with infrastructure attacks, but fewer have the skills and resources to analyze and then block changing attack signature on the fly for Layer 7 attacks," he says.

HTTP GET flood attacks dropped from 22 percent of DDoS attacks in the second quarter of 2011 to 14 percent in the second quarter of this year, according to Prolexic.

A copy of the full Prolexic report is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Robert Lemos, Contributing Writer, Dark Reading
Shikha Kothari, Senior Security Adviser, Eden Data