Distributed Denial of Service (DDoS) attacks make headlines when they are 1) able to cripple a website, or service, and 2) that belongs to a prominent organization. For example, we’ve seen news stories about attacks on web services with many users (such as AWS 2020) or websites that serve a critical function (Github 2018). However, most DDoS attacks are not large, high-volume attacks, and Cybercriminals typically target all kinds of organizations, not only big household name companies, or government agencies. No website or online service is immune to DDoS, and any size of attack is cause for alarm. You see, DDoS is not just an online availability issues; it’s a security issue.
Corero research consistently shows that the vast majority (75%) of DDoS attacks are under 1 Gbps, and 85% last less than 10 minutes. That doesn’t sound like enough to cripple a website, or online service. So why would hackers launch such attacks, and why should companies care, as long as their systems remain up and running?
DDoS Can Mask Security Breaches
Cybercriminals launch low-threshold DDoS attacks because they are a cheap and easy way to achieve their endgame. Because the attacks are so short – typically a few minutes in duration – they are usually not detected by security teams or traditional DDoS scrubbing solutions. Because these attacks do not stand out so obviously from legitimate traffic, they are near-impossible to detect without an advanced always-on DDoS protection solution that has granular deep packet inspection and detection capabilities.
In cases where IT security staff do notice a DDoS attack in progress, this may just be a decoy to distract them, while the cybercriminals stealthily find pathways and test for vulnerabilities within their network. The bad actors may subsequently install malware to exfiltrate sensitive data such as email addresses, or credit card numbers, or corporate intellectual property. In addition, they may “own” or “enslave” devices on the network, so they can later be exploited as bots in a “zombie” army.
DDoS is Often a Precursor to Ransom
Another cause for concern is that DDoS is increasingly used as a precursor to ransom attacks. Once the attackers find your network is vulnerable, they can either install ransomware, or threaten to launch truly crippling, large volume attacks. Either way, the cyber criminals will demand that you cough up some bitcoin to avoid or stop the attack.
Partial-Link Saturation Leads to Performance Degradation
Sub-saturating DDoS attacks cause network congestion and service degradation. This is especially important in Carrier, Service Provider, or Hosting Provider environments because 1) even smaller attacks can saturate a customer downstream, and we all know that in an always-on world, network availability is crucial for subscribers, 2) DDoS traffic is increasingly costly to transit across the network, and 3) downtime impacts Service Level Agreements (SLAs) and results on compensation claims. In the highly competitive Carrier arena, SLAs often promise optimum network reliability; the only way to guarantee that is by using an always-on, real-time solution.
Solutions for Effective DDoS Mitigation
The fact is, that legacy DDoS mitigation solutions, such as on-demand scrubbing, can be blind to the latest generation of low-threshold, multi-vector attacks. Just because a DDoS attack is smaller, doesn’t mean it isn’t a huge problem. It takes attackers only a few minutes to map a network, install malware, or discover your network vulnerabilities, in order to steal your valuable data; during the time security staff are dealing with a low-threshold attack in progress and diverting traffic to be cleaned at an out-of-band scrubbing center, the damage has likely already been done.