Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

3/23/2015
02:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

When DDoS Isn't All About Massive Disruption

New data shows prevalence of often-undetectable DDoS attacks aimed at quietly wreaking havoc on the network while performing data exfiltration and other attacks.

There's the long-lasting, loud DDoS attack that takes down a website or disrupts a company's network operations, but there's also a stealthier, shorter-burst DDoS meant to fly under the radar while sapping just enough bandwidth or network resources to perform more nefarious activity, like silently stealing information.

That type of DDoS, which doesn't suck massive amounts of bandwidth so may not be easily detectable, is typically just one element of a multi-vector attack: DDoS attacks of under 5 gigabits-per-second at peak and lasting less than 10 minutes represent nearly 80% of the DDoS attack attempts spotted by in-line DDoS prevention vendor Corero Network Security, the company says in a new report published today.

The goal of this short, low-saturation DDoS is typically to bypass security defenses or to consume security logs and to ultimately hide other activity the attackers have under way, says Dave Larson, CTO and vice president of products at Corero.

Corero also found a large number of short-burst DDoS attacks lasting anywhere from 5- to 30 minutes. Some 96% of DDoS attacks against its service provider and enterprise customers' networks lasted less than 30 minutes, and 73%, less than five minutes.

These mini-DDoS attacks shouldn't be confused with low-and-slow attacks against the application layer, such as Slowloris-style ones, Larson says, which are often tailored to for true denial-of-service purposes.

"It's a smokescreen effect," Larson says of the short-burst network DDoS attacks. "If they send [traffic] in short-duration, 3 Gig packet rates [at the most], it's not going to cause service degradation" in a large data center, Larson says. "You might see that class of attack good enough to degrade a firewall or IPS … It might allow a connection to remain open during the attack."

These attacks leave plenty of headroom for attackers to execute an exploit, he says, all under the cover of a quiet DDoS attack. "The victim doesn't even know it occurred because it may not be noticeable."

This brand of DDoS is likely the handiwork of more sophisticated attackers such as nation-state cyberspies, who use it to pilfer sensitive information, he says. "DDoS can be useful to degrade the security perimeter, and this can be sent at a rate that saturates all the logs," he says.

That's not to say the mega-DDoS attacks amassing hundreds of Gbps aren't still alive and kicking, of course. "We see the small and the big attacks," Larson says, because Corero's product sits inline in the network. "Our data doesn't negate" the prevalence of large and long attacks, he says.

But Corero's data, as well as data from recent reports by Arbor Networks and the Akamai PLXsert, show how DDoS attacks are evolving -- and continue to be a popular tool. About half of all enterprises suffered a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar, according to Arbor's 10th Annual Worldwide Infrastructure Security Report, published in January.

Nearly 30% of the DDoS attacks Arbor sees are for hiding data exfiltration or other types of compromises.

Dan Holden, director of Arbor’s security engineering and response team, says a 5Gbps or below attack would be plenty to take down most websites. "That's the type of attack that's the majority of attacks today," he notes.

It's difficult to get a good read on "low-and-slow" network DDoS attacks that are used as part of a bigger attack, he says. Smaller organizations are more likely to suffer with these because they don't have the resources to detect and deflect them, he says.

"DDoS trends go up and down and the change depends on who's being attacked and what the attackers are after," he says. DDoS won't die because it's so inexpensive for the attacker to execute, while expensive for organizations to defend against, he says.

Application-layer attacks, meanwhile, are the scariest, Holden says. The attack surface of a server is large, he notes, and an attacker who wages one of these higher-layer attacks is likely very determined. He points to the wave of DDoS attacks against US banks a couple of years ago, when some bank websites went offline even with help from ISPs scrubbing the network traffic-layer attacks. "There were instances where ISPs were able to scrub volumetric DDoS attacks, but the website still fell because of an application-layer attack," Holden says. "It takes someone who really cares to go after [an organization] to go after the application layer."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

So how can an organization actually defend against nearly invisible DDoS attacks? "The only way to do this is to change your sampling or thresholds so you're looking at lower events of interest" in traditional DDoS products and services, Corero's Larson says.

Another option is to run an inline anti-DDoS tool, which both Corero and Arbor sell.

Meanwhile, companies are getting hit with an average of 3.9 DDoS attack attempts of various size and duration each day, according to Corero's data. One of Corero's customers suffered an average of 12 DDoS attacks per day against its data center infrastructure during a three-month period.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/24/2015 | 1:31:02 PM
Re: Deeper Explanation of Tools
I do not believe there is one, there is no real protection against DDoS. Most DDoS are caused by legitimate traffic and there is no such thing as unlimited resources to avoid it.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/23/2015 | 2:46:47 PM
Deeper Explanation of Tools
Can someone explain in larger detail what an anti-DDoS tool will accomplish? Specifically towards undetectable DDoS around data exfiltration.
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-18
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access ...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector ...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: http://127.0.0.1/admin/users/add.php. The attack vector is: After the administrator logged in,...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrato...
CVE-2016-10762
PUBLISHED: 2019-07-18
The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.