Short, frequent, low-volume DDoS attacks continue to dominate

Service providers, hosting providers and digital enterprises are all impacted by DDoS attacks. But besides the headline-grabbing volumetric attacks, another more sinister DDoS method lies in the shadows.

Typically, less than 10Gbps in volume and less than 10 minutes in duration, sub-saturating DDoS attacks are capable of knocking a firewall or intrusion prevention system (IPS) offline so that hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity. These hidden motives have led Corero to describe this type of attack as “Trojan Horse” DDoS, says Stephanie Weagle, VP, Corero Network Security.

What’s changed?

Today’s DDoS attacks are almost unrecognisable from the early days of attacks, when most were simple, volumetric attacks intended to cause embarrassment and brief disruption. Increasingly in recent months, we’ve seen a shift in the duration and volume of DDoS attacks.

Despite a few massive, high-volume DDoS attacks over the course of the last year, our latest DDoS trends and analysis report found that the majority (98%) of DDoS attacks against Corero customers during Q1 2017 were less than 10 Gbps per second in volume and lasted 10 minutes or less. But don’t be fooled – though these attacks may be small, they can still cause considerable damage to your network.

Rather than showing their capabilities in full view, through large, volumetric DDoS attacks that cripple a website, using short attacks allows bad actors to test for vulnerabilities within a network and monitor the success of new methods without being detected.

Most cloud-based scrubbing solutions will not detect DDoS attacks of less than 10 minutes in duration, so the damage is done before the attack can even be reported. As a result, the raft of sub-saturating attacks observed at the beginning of this year could represent a testing phase, as hackers experiment with new techniques before deploying them at an industrial scale. To ignore these attacks is to effectively leave your door wide open for a more serious malware or ransomware attack, data theft or more serious network intrusion.

The role of the Internet Service Providers (ISPs)

For a long time, ISPs have carried the burden of defending their own networks from threats. However, as the threat landscape has changed, so must their approach. Rather than relying on outdated tools that only defend against the early types of DDoS attacks, ISPs need to modernise their security service offering by taking advantage of real-time DDoS mitigation through emerging and proven deployment models.

It is only by having complete visibility over the network, and the ability to detect and respond to network incursions in real-time, that ISPs can prevent attacks on their networks.

After all, there is a valuable business benefit for ISPs to position themselves as leading the charge against DDoS attacks, both in protecting their own networks and enabling them to offer more comprehensive solutions to their customers as a paid-for, managed service.

ISPs are moving towards a more expansive network architecture, distributed to provide services targeted at specific subscribers. Thus, the opportunity to provide sophisticated DDoS protection to their customers as a service could open up a valuable new revenue stream as well as building on customer loyalty.

Conclusion

These powerful, short duration attacks should not be underestimated. They can impact service availability, cause outages, or act as a smoke screen for other types of cyber-attacks. Thus, it is critical that Internet Service Providers and carriers take proactive measures to eliminate the effects of DDoS attacks.

Effective mitigation solutions must take effect instantly and automatically. Waiting tens of minutes or longer for on-demand scrubbing operations to kick in, or human intervention, could prove to be a costly mistake.

The author of this blog is Stephanie Weagle, VP, Corero Network Security

Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus