When DDoS Isn't All About Massive Disruption

There's the long-lasting, loud DDoS attack that takes down a website or disrupts a company's network operations, but there's also a stealthier, shorter-burst DDoS meant to fly under the radar while sapping just enough bandwidth or network resources to perform more nefarious activity, like silently stealing information.

That type of DDoS, which doesn't suck massive amounts of bandwidth so may not be easily detectable, is typically just one element of a multi-vector attack: DDoS attacks of under 5 gigabits-per-second at peak and lasting less than 10 minutes represent nearly 80% of the DDoS attack attempts spotted by in-line DDoS prevention vendor Corero Network Security, the company says in a new report published today.

The goal of this short, low-saturation DDoS is typically to bypass security defenses or to consume security logs and to ultimately hide other activity the attackers have under way, says Dave Larson, CTO and vice president of products at Corero.

Corero also found a large number of short-burst DDoS attacks lasting anywhere from 5- to 30 minutes. Some 96% of DDoS attacks against its service provider and enterprise customers' networks lasted less than 30 minutes, and 73%, less than five minutes.

These mini-DDoS attacks shouldn't be confused with low-and-slow attacks against the application layer, such as Slowloris-style ones, Larson says, which are often tailored to for true denial-of-service purposes.

"It's a smokescreen effect," Larson says of the short-burst network DDoS attacks. "If they send [traffic] in short-duration, 3 Gig packet rates [at the most], it's not going to cause service degradation" in a large data center, Larson says. "You might see that class of attack good enough to degrade a firewall or IPS … It might allow a connection to remain open during the attack."

These attacks leave plenty of headroom for attackers to execute an exploit, he says, all under the cover of a quiet DDoS attack. "The victim doesn't even know it occurred because it may not be noticeable."

This brand of DDoS is likely the handiwork of more sophisticated attackers such as nation-state cyberspies, who use it to pilfer sensitive information, he says. "DDoS can be useful to degrade the security perimeter, and this can be sent at a rate that saturates all the logs," he says.

That's not to say the mega-DDoS attacks amassing hundreds of Gbps aren't still alive and kicking, of course. "We see the small and the big attacks," Larson says, because Corero's product sits inline in the network. "Our data doesn't negate" the prevalence of large and long attacks, he says.

But Corero's data, as well as data from recent reports by Arbor Networks and the Akamai PLXsert, show how DDoS attacks are evolving -- and continue to be a popular tool. About half of all enterprises suffered a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar, according to Arbor's 10^th Annual Worldwide Infrastructure Security Report, published in January.

Nearly 30% of the DDoS attacks Arbor sees are for hiding data exfiltration or other types of compromises.

Dan Holden, director of Arbor’s security engineering and response team, says a 5Gbps or below attack would be plenty to take down most websites. "That's the type of attack that's the majority of attacks today," he notes.

It's difficult to get a good read on "low-and-slow" network DDoS attacks that are used as part of a bigger attack, he says. Smaller organizations are more likely to suffer with these because they don't have the resources to detect and deflect them, he says.

"DDoS trends go up and down and the change depends on who's being attacked and what the attackers are after," he says. DDoS won't die because it's so inexpensive for the attacker to execute, while expensive for organizations to defend against, he says.

Application-layer attacks, meanwhile, are the scariest, Holden says. The attack surface of a server is large, he notes, and an attacker who wages one of these higher-layer attacks is likely very determined. He points to the wave of DDoS attacks against US banks a couple of years ago, when some bank websites went offline even with help from ISPs scrubbing the network traffic-layer attacks. "There were instances where ISPs were able to scrub volumetric DDoS attacks, but the website still fell because of an application-layer attack," Holden says. "It takes someone who really cares to go after [an organization] to go after the application layer."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

So how can an organization actually defend against nearly invisible DDoS attacks? "The only way to do this is to change your sampling or thresholds so you're looking at lower events of interest" in traditional DDoS products and services, Corero's Larson says.

Another option is to run an inline anti-DDoS tool, which both Corero and Arbor sell.

Meanwhile, companies are getting hit with an average of 3.9 DDoS attack attempts of various size and duration each day, according to Corero's data. One of Corero's customers suffered an average of 12 DDoS attacks per day against its data center infrastructure during a three-month period.