7 Things to Know About Today's DDoS Attacks
DDoS attacks are no longer something that just big companies in a few industries need to worry about. They have become a threat to every business.
August 30, 2017
Distributed denial-of-service (DDoS) attacks continue to be a weapon of choice among threat actors seeking to extort money from victims, disrupt operations, conceal data-exfiltration activities, further hacktivist causes, or even to carry out cyberwar.
What was once a threat mostly to ISPs and organizations in the financial services, e-commerce, and gaming industry, has become a problem for businesses of all sizes. A small company is just as likely these days to become a target of a DDoS attack, as a big one — and for pretty much the same reasons.
The wide availability of botnet building kits and so-called "stresser," "booter," and other DDoS-for-hire services has made it possible for almost anyone to launch a DDoS attack against targets of their choice. It is no longer just the nation-state actors and APT groups that have access to DDoS infrastructure these days, but common cybercriminals and script kiddies, too.
The implications of these trends are enormous for organizations. Here are some alarming data points:
The actual number of DDoS attacks and their average size in terms of peak bandwidth and other measures tend to vary quite a bit on quarter-by-quarter, and sometimes even on a monthly, basis.
Take the Q2 2017 State of the Internet/Security Report from Akamai Technologies, which shows that DDoS attacks in the second quarter of this year increased by 28% compared to the previous quarter - after three straight quarters of decline. At the same time, Akamai didn't see any DDoS attack exceed 100Gbps in size during Q2.
In contrast, just last quarter Verisign reported at least one attack that topped 120Gbps, and an average peak-attack size that was 26% higher than the previous year.
Numbers alone shouldn't dictate mitigation strategies: it's more important to understand that DDoS attacks have become a threat to most organizations. Attackers have become more persistent than before and have more resources available to them. A DDoS attack does not have to be multiple gigabits-per-second in order to overwhelm your pipeline.
"The barrier to entry has been obliterated by new tools and attack services that enable anyone with an Internet connection and a grievance to launch an attack," says Kevin Whalen, a senior director of marketing at Arbor Networks. Any business can become a target for a real or perceived reason, he says.
Multi-vector DDoS attacks that combine volumetric, application-level, and protocol-level elements have become a major threat. Attackers can launch these attacks using one vector at a time, or using all vectors concurrently in order to confuse targets.
Neustar reported a 322% increase in multi-vector DDoS attacks in 2016, compared to 2015 when UDP, TCP, and ICMP were the most popular attack vectors. As far back as the first quarter of 2016, companies such as Akamai were reporting more than 60% of their mitigation efforts as involving multi-vector DDoS attacks.
"These attacks are popular because they are difficult to defend against and are often highly effective," Whalen says.
In fact, the largest DDoS attack that Verisign observed in the first quarter of this year was a multi-vector attack with a peak bandwidth of 120Gbps and some 90 million packets per second. The attack, which consisted largely of TCP SYN and TCP RST traffic floods, persisted on a daily basis for two weeks and sent a sustained 60Gbps of traffic in one 15-hour stretch.
Whalen says 67% of the respondents in Arbor's latest Worldwide Infrastructure Security Report reported multi-vector DDoS attacks, up from 56% last year.
Network-layer attacks or co-called volumetric DDoS attacks, continue to be the most common, says Avishay Zawoznik, research team leader at Imperva.
These attacks are characterized by high bandwidth or packets-per-second rates and target the bandwidth capacity of the victim's network pipes or the routing capacity of the victim's network devices. Common examples of volumetric attacks include SYN, ACK, UDP, and ICMP floods, Zawoznik says.
"In the last few months, the DDoS attacks we saw most were TCP attacks, NTP amplification attacks and multi-vector ones," he says. Obviously, the larger the attack either in terms of bandwidth, packets-per-second or requests per second, the higher the damage that volumetric attacks can cause he says.
Of the 4,051 DDoS attacks in total that Akamai helped its customers handle last quarter, some 99% were volumetric attacks. Of this, more than 80% were directed at companies in the gaming industry. Egypt had the highest number of unique IP addresses used in volumetric DDoS attacks accounting for 38% of the worldwide total.
While network-layer DDoS attacks continue to be common, application-level attacks are rapidly rising.
Application-level DDoS attacks bombard business applications with a stream of seemingly legitimate requests until the applications are unable to respond. In contrast to volumetric attacks, application attacks have much lower traffic volume and are measured in requests per second (RPS). Typical attacks target HTTP and DNS services and increasingly, HTTPS as well.
Imperva's Global Threat landscape Report for Q1 2017 showed network-layer DDoS assaults decreasing for the fourth straight quarter, while application layer attacks reached an all time high of nearly 1,100 per week.
The largest of these attacks peaked at some 176,00 RPS, which was larger than the biggest application-layer attack that Imperva mitigated in all of 2016. "These attacks are aimed at consuming the computing resources of servers, Web servers, databases, etc.," says Zawoznik. Typical attacks involve floods of HTTP GET, POST, and PUSH requests directed at the target application, he says.
According to Arbor, DNS attacks accounted for 81% of all reported application-layer attacks last year and replaced HTTP as the most targeted service.
The easy availability of tools for launching DDoS attacks appear to have made threat actors more persistent than ever in going after victims.
Akamai, for instance, reported seeing targets hit with an average of 32 unique DDoS attacks in Q2 2017. One gaming company was attacked an average of six times a day and 558 times in total. Corero says its customers experienced an average of 124 DDoS attacks per month in the first quarter of this year, up 9% from Q4 2016.
"On a macro level DDoS assaults grew shorter, but also more complex and persistent," Imperva said in its report.
More than 9 in 10 of all attacks that the company encountered lasted under 30 minutes, even as the number of repeat assaults on victims grew sharply. Nearly 75 of Imperva's customers were attacked on multiple occasions, highlighting the persistency with which threat actors have begun going after victims. And 19% were hit 10 times or more.
Distributed denial-of-service (DDoS) attacks continue to be a weapon of choice among threat actors seeking to extort money from victims, disrupt operations, conceal data-exfiltration activities, further hacktivist causes, or even to carry out cyberwar.
What was once a threat mostly to ISPs and organizations in the financial services, e-commerce, and gaming industry, has become a problem for businesses of all sizes. A small company is just as likely these days to become a target of a DDoS attack, as a big one — and for pretty much the same reasons.
The wide availability of botnet building kits and so-called "stresser," "booter," and other DDoS-for-hire services has made it possible for almost anyone to launch a DDoS attack against targets of their choice. It is no longer just the nation-state actors and APT groups that have access to DDoS infrastructure these days, but common cybercriminals and script kiddies, too.
The implications of these trends are enormous for organizations. Here are some alarming data points:
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024