Organizations need to be prepared for a new generation of DDoS attacks which are shorter in duration and smaller in size but more carefully crafted to distract security teams and profile networks for follow-up attacks.
These are the findings from Corero Network Security’s inaugural Quarterly DDoS Trends and Analysis Report.
Its review of Q4 2014 revealed that customers experienced an average of 3.9 attacks each day, or 351 for the quarter.
Ransom, cyber-terrorism, fraud and even data exfiltration were given as some of the primary drivers for attack.
Interestingly, the majority of attacks on Corero customers came in short bursts: during the period, 96% of attacks lasted less than 30 minutes.
More worrying for businesses is that many were specifically crafted not to consume a targeted organization’s entire bandwidth – thus leaving just enough for a follow-up data-stealing attack while the IT team is distracted.
During Q4 2014, 87% of attack attempts were less than 1Gbps in peak bandwidth utilization, while another 10% of were between 1-5Gbps.
Crucially, the short duration of many of these attacks means IT admins don’t have time to switch on cloud-based DDoS mitigation services – costing yet more money for the organization, said Corero.
Cyber-criminals are also widening their portfolio away from volumetric to multi-vector DDoS attacks which could include a combination of DNS amplification, SSDP amplification, SYN flood and NTP amplification.
These can come as part of a more sophisticated, adaptive and multi-staged attack.
The report continued with the following:
“Attackers are implementing techniques to profile the nature of the target network’s security defenses, and utilizing subsequent techniques to implement second or third attacks designed to circumvent an organization’s layered protection strategy. To defeat these sophisticated attacks, real-time analysis is required to determine the need to customize detection filters and block the attack immediately.”
Corero CTO Dave Larson provided Infosecurity with just one example of how multi-vector attacks can work.
“A high packet rate SYN flood may consume CPU resources on a firewall degrading its capability, which may be followed by a heavily fragmented DNS amplification that is intended to cause IPS systems to revert to Layer 2 fallback mode (essentially letting everything pass through),” he argued.
“The attackers perform constant reconnaissance during these attacks to determine how successful their attempts are at evading existing security layers and at what optimum attack bandwidth and duration they can repeat the evasion scenario.”
Once they’ve perfected this methodology, an attack can be crafted to occur within a mere 30 minute or less, so it’s difficult to predict or stop.