Increased use of Intelligent, Adaptive DDoS Attack Techniques

Bipin Mistry
By | October 29, 2014

Posted in: Network Security Trends , Hosting Provider DDoS Protection

Many equate DDoS with only one type of attack vector – volumetric. It is not surprising, as these high bandwidth consuming attacks seem to frequent the headlines most often. Volumetric DDoS attacks are easier to identify, and defend against with on-premises or cloud anti-DDoS solutions, or a combination of both.

Recently, Corero Network Security has identified a change in the way attackers are using DDoS as a mechanism to target corporate Enterprises, Hosting Providers and Internet Service Providers.  Not only are they using brute force multi-vector DDoS attacks but they have started implement more adaptive methods to profile the nature of the target network’s security defenses, and subsequently selecting a second or third attack designed to circumvent the layered protection the Enterprise or Service Provider has in place.

Outlined below is an example of an actual attack intruders are using.  The charts show an initial SYN flood attack (IP addresses have been removed to protect the organization concerned).  This attack is easily blocked by the Corero SmartWall® Threat Defense System (TDS).  The initial attack lasts approximately 15-20 minutes and is a very high capacity attack.  After 20 minutes the attacker backs off the volumetric attack and initiates a second attack at a much lower threshold. Eventually, many security platforms would allow the traffic through because it looks more like normal threshold TCP traffic. However, the SmartWall TDS recognizes and blocks this second attack by utilizing intelligent and flexible filtering and behavioral techniques to understand the nature of the attack pattern.

DDoS Attack ChartThese partial saturation attacks have sufficient capacity to take down Firewalls, IPS’s, Web Application Servers and back end infrastructure, but do not fully saturate the pipe.  The in-line Corero SmartWall TDS not only uses advanced intelligent filters to ensure multi-vector attacks are stopped in real- time, but also leverages advanced security forensics to provide detailed visibility to determine the nature of the threat. As described in this instance, intruders are now combining evasion techniques along with multi-vector and traditional high capacity DDoS attacks. To achieve this same level of intelligence and real-time mitigation, without a Corero First Line of Defense solution in place, the victim organization would have to constantly monitor and create filters and signatures on the fly with the help of a human security analyst. Detecting these attacks utilizing a cloud based model is an expensive proposition, not to mention the effective delays in actually mitigating the attack.  In many cases these lower threshold threats are designed to fly under the radar with a more lucrative purpose – commandeering sensitive company or customer data.

Organizations must arm themselves with next generation DDoS defense platforms which incorporate both intelligent and automated filtering and detailed security forensics to effectively defeat these new advanced evasion threats.

You May Also Be Interested In: