Más DDoS: More Powerful, Complex, And Widespread

Three DDoS reports published this week reveal how more powerful attacks are becoming the norm, that hacktivism is the main inspiration now rather than extortion -- and anyone can be a victim, not just high-profile organizations.

Arbor Networks, Radware, and Prolexic each released reports detailing trends and data in distributed denial-of-service (DDoS) and regular denial-of-service (DoS) attacks. Among the trends in these often-debilitating attacks on a victim's network infrastructure, website, or other application-layer services is that the impetus for these attacks now is more about hacktivism and vandalism versus extortion -- an old-school motivation -- and no one is immune from becoming a target.

"It was stunning to us what motivated these DDoS attacks," says Roland Dobbins, solutions architect at Arbor and one of the authors of Arbor's "World Wide Infrastructure Security Report for 2011." "It was a surprise to us, but at the same time it jives with our individual experiences and working with service providers around the world. About half the DDoS attacks I personally helped defend against were ideologically motivated."

Dobbins says this is a game-changer. "This really alters the threat landscape for any organization that's Internet-connected. If anyone has a political or ideological ax to grind against an organization or the country where they are headquartered," they are at risk, he says.

Radware's "2011 Global Application and Network Security Report" echoed some of the same findings about DDoS and DoS attacks in that hacktivists were the main perpetrators, with 22 percent of attacks; 12 percent were angry users; 7 percent, a competitor; and 4 percent, extortion. Half of the attacked organizations surveyed by Radware didn't know why they were targeted.

Arbor also found that attackers now have so much firepower that high-volume attacks are no longer a rarity. DDoS attacks in the 10-Gbps range were up, with 13 percent reporting them, and 25 percent of victims say they were hit by attacks that outpaced the total bandwidth of their data center.

"10-Gbps and under attacks are no longer very rare -- they are very commonplace," Dobbins says. "And the broader deployment of [anti-] DDoS technologies [by organizations] is causing attackers to up their game, so it's an arms race.

Prolexic's "Quarterly Attack Report for Q4 2011" also shows a marked increase in more powerful DDoS attacks. The average attack bandwidth in the fourth quarter was 5.2 Gbps, up from 2.1 Gbps in the third quarter; that's an increase of 148 percent, according to Prolexic. Average attack bandwidth jumped 136 percent last year to 2.6 Gbps versus 1.1 Gbps in 2010.

But size doesn't always matter. Radware's report says most organizations don't suffer from catastrophic DDoS attacks: Smaller, less powerful ones can cause more damage with less bandwidth. Some 76 percent of attacks in its survey came in at under 1 Gbps, with 32 percent less than 10 megabits-per-second, and nine percent more than 10 Gbps.

Meanwhile, application-layer attacks are on the upswing. "There is a rise in the sophistication and prevalence of application-layer attacks," Arbor's Dobbins says. "Attackers are not just launching high-bandwidth, high-packet-based attacks. They are doing research and figuring out how to [attack] the app running on the server ... causing websites to fall over."

According to Radware, 56 percent of DoS-type attacks last year went after applications, and 46 percent, the network. Financial services was hit the most, with 28 percent of the attacks, followed by government (25 percent) and gaming sites (25 percent).

Attackers aren't just going after one specific application or HTTP. They are mixing two or more vectors, such as HTTP, SMTP, HTTPS, DNS, SNMP, and IRC, according to Arbor's Dobbins.

Some attacks used up to five different attack vectors in a campaign, according to Radware. And the big bandwidth-sized attacks aren't necessarily the most damaging. A smaller HTTP attack can do more damage than a massive UDP flood attack.

And Prolexic saw shorter attack intervals. "We have seen a trend toward shorter overall attack duration, but with unprecedented high packet-per-second volume and lethal attack signatures,” says Paul Sop, chief technology officer at Prolexic. "This is a devastating cocktail that can quickly bring down even well-protected sites and their mitigation providers. We are starting to see packet-per-second attack volumes that are simply off the charts.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.