The DDoS threat landscape is a broad, ever evolving and dynamic topic that is covered by many different perspectives. One angle that doesn’t always get the spotlight is the use of DDoS attacks as a diversionary tactic or profiling mechanism for advanced assaults against a target victim.
Traditionally the term “DDoS” has been long associated with volumetric and overpowering attacks with the intent to literally deny service availability of the target. Today, DDoS attack techniques are more commonly employed by attackers to do far more than deny service. Attack attempts experienced by Corero’s protected customers in Q4 2014, indicate that short bursts of sub-saturating DDoS attacks are becoming more of the norm. The recent DDoS Trends and Analysis report indicates that 79 percent of attack attempts targeting Corero customers were less than 5Gbps in peak bandwidth utilization, and were under 10 minutes in duration.
Why would a DDoS attack be designed to maintain service availability if “Denial of Service” is the true intent? What’s the point if you aren’t aiming to take an entire IT infrastructure down, or wipe out hosted customers with bogus traffic, or flood service provider environments with massive amounts of malicious traffic? Unfortunately, the answer is quite alarming.
For organizations that do not take advantage of DDoS protection positioned at the network edge, these partial link saturation attacks that occur in bursts of short duration, enter the network unimpeded and begin overwhelming traditional security infrastructure. In turn, this activity stimulates un-necessary logging of DDoS event data, which may prevent the logging of more important security events and sends the layers of the security infrastructure into a reboot or fall back mode. These attacks are sophisticated enough to leave just enough bandwidth available for other multi-vector attacks to make their way into the network and past weakened network security layers undetected. There would be little to no trace of these additional attack vectors infiltrating the compromised network, as the initial DDoS had done its job—distract all security resources from performing their intended functions.
There are many options to consider when determining a DDoS defense strategy to properly protect your organization from (all types) of DDoS attacks. When considering solutions, keep in mind the increased frequency of these short bursts of attack traffic, and the impact they can have to your business. Cloud based protection is ideal for the high volume, link saturating attacks that completely stifle your Internet link. However, low volume or short duration attacks are generally not visible to a cloud scrubbing solution. With 96 percent of DDoS attacks lasting 30 minutes or less, chasing these attacks with cloud solutions is not a viable opportunity.
On-premises DDoS technology positioned at the very edge of the network is ideal for identifying, analyzing and defeating evolving DDoS attacks in real-time, before it has the ability to impact your service availability or disable security infrastructure for data exfiltration purposes.