10-minute DDoS attacks: A Devil in Disguise

Think what you don’t know won’t hurt you? Think twice. Over the last few years, Corero Network Security has observed that short, sub-saturating DDoS attacks are dominating the DDoS threat landscape. Indeed, according to Corero’s research the majority of those attacks (71%) last less than 10 minutes and are of modest amplitude (96% are less than 5Gbps).

Due to their small size, these sub-saturating attacks tend to go undetected by IT security staff and many DDoS protection systems. However, they are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity.

Even a few minutes of downtime can prove extremely costly for lost revenue, reduced customer confidence, and overall reputation damage. Earlier this month, Amazon had a dodgy hour during Prime Day when their website was unresponsive, and it looks like it potentially cost them around $75 million in lost sales – that’s $1.25 million per minute. With such significant, and easily calculable, revenue at risk for every minute of downtime, organizations need to ensure they have the right security measure in place, which can identify and mitigate even small and low-volume DDoS threat before damage is done.

Glitch in the System

Most DDoS protection strategies employ a network monitor to detect anomalies, human intervention to analyze these anomalies, redirection of the suspect traffic and a DDoS scrubbing center to cleanse the traffic. However, the detection and human analysis can take up to 10 minutes and more. In that scenario a five-minute attack is finished before the legacy style approach to protection has kicked in. The recent 1.34Terabit attack on GitHub serves as an example of the potential consequences of time delay in response to a DDoS attack.

Moreover, if there is a problem that goes on for one minute there's quite a good chance that it will just fly by under the radar. Often someone might think it’s a glitch in the system and when everything is back to normal, they will just forget about it. Those quick little glitches or burps in the performance of systems are often left unnoticed by security team, which allow cybercriminals to test for vulnerabilities within the network. As a result, hackers can perfect their attack techniques while remaining in disguise, leaving security teams blindsided by subsequent attacks.

Motivations Behind Shorter, Low-Volume Attacks

The motivations behind these short attacks are yet unclear. It is unknown whether the short length of the attack is intended as part of a broader multi-vector attack, or it is short because the attacker only paid for a 10-minute attack from a DDoS-for-Hire service. Whatever the motives or intended outcome – corporate data theft, retaliation, monetary gain – DDoS is frequently the tool of choice for the cyber-criminal who wishes to compromise specific networks or websites. The shady “DDoS for hire” market has made this criminal activity relatively straightforward, inexpensive and anonymous.

Best Practices

Sometimes the simplest things are most powerful. When you combine the size, frequency and duration of attacks, and the low volume sub saturating nature of the threats; victims are faced with a significant security and availability challenge. These low-level, sub-saturating DDoS attacks are often used as a precursor to more serious incursions because they are typically not detected by security teams, and allow hackers to find pathways and test for vulnerabilities within a network which can later be exploited through other techniques.

Traditional security infrastructure will not stand up to these attacks as they are only dealing with what they can see, which is 20% of the problem. For this reason, organizations need to be looking to the latest generation of always-on, real-time, automatic DDoS protection solutions, as even small, short attacks could have serious implications.