Most organizations that experienced a DDoS attack were brought down by less intensive efforts: 76% of attacks in 2011 were less than 1 Gbps in bandwidth, while only 9% were over 10 Gbps, according to Radware's 2011 Global Application and Network Security Report.
For the report, Radware surveyed 135 security professional and analyzed 40 cases of DDoS attacks.
The report found that 56% of DDoS attacks were targeted at the application layer, while only 46% at the network. Radware warned that a much smaller HTTP flood on the application level may do more damage than a larger UDP flood on the network.
“The majority of attacks over the last 12 months have been service disrupting but they haven’t been bandwidth-based attacks. They have been something other than that. We think that is a major tipping point”, said Carl Herberger, vice president for security solutions at Radware.
In half of the DDoS attacks, companies did not know why they were targets. Hacktivists with a political or social agenda accounted for 22% of the attacks; 12% came from angry users; 7% from the competition; and 4% wanted a ransom in exchange for freeing the website.
“A lot of these attacks are motivated by ideology. People are using these techniques to silence, shame, or shutdown a site or organization”, Herberger told Infosecurity.
In addition, DDoS attacks have become more organized, professional, and complex, with attackers using as many as five different attack vectors in a single attack campaign.
Herberger explained that hackers have developed social networks that decrease the time it takes for them to adjust to security measures or to develop new hacking tools and techniques.
The report found that a firewall or intrusion protection system (IPS) did not stop DDoS attacks. In 32% of DDoS attacks examined, the firewall or IPS became a bottleneck that exacerbated the attack.
In addition, the report noted that content delivery network providers (CDNs) can be bypassed in a DDoS attack. CDNs can handle less-sophisticated, large-volume attacks by absorbing them. But they can be bypassed by using random requesting techniques that force CDNs to forward all attacks directly to the customer premise, the report concluded.
Instead of a mitigation strategy of defend and absorb, Radware recommends that businesses go on the offensive and be proactive in their mitigation steps to stop malicious traffic or website degradation. This can be done by identifying the attack tool used as the vehicle to carry the attack and exploit its inherent weaknesses to neutralize the attack tool in a passive, non-intrusive way, the report explained.