Distributed denial of service (DDoS) attacks make headlines when they are 1) large enough to cripple a website and 2) the affected website belongs to a recognizable organization. For example, we’ve seen news stories about attacks on websites with many users (such as PlayStation, a gaming website) or websites that serve a critical function (such as the South African State Broadcasting Corporation). However, most DDoS attacks are not large, volumetric attacks, and DDoS hackers target all kinds of organizations, not only big, household name companies or government agencies. No website or online application is immune to DDoS, and any size DDoS attack is cause for alarm. You see, DDoS is not just a web availability issue; it’s a security issue.
Corero research has shown that the vast majority (93%) of DDoS attacks are under 1 Gbps, and 96% last less than 30 minutes. That’s certainly not enough to cripple a website. So why would hackers launch such attacks, and why should companies care, as long as their network remains up and running?
DDoS Can Mask Security Breaches
Cyber criminals launch low-threshold DDoS attacks— also known as “Dark DDoS”—because they are a cheap and easy way to infiltrate and map a network. Because the attacks are so short – typically less than five minutes in duration – they are usually not detected by security teams or traditional DDoS scrubbing solutions. Because these attacks typically require very little bandwidth to execute, they are nearly impossible to detect without an advanced in-line DDoS protection solution that has granular detection capabilities.
In cases where the IT security staff do notice a DDoS attack in progress, the attack often serves as a decoy to distract security staff while hackers stealthily find pathways and test for vulnerabilities within a network. Hackers may install malware to ex-filtrate sensitive data such as email addresses or credit card numbers or corporate intellectual property. In addition, hackers may “own” or “enslave” the network so it can later be exploited as a bot in a botnet “zombie” army.
DDoS is Often a Precursor to Ransom
Another cause for concern is that DDoS are usually used as a precursor to ransom attacks. Once the hackers find your network’s vulnerabilities, they can either install ransomware, or they can threaten to launch a truly crippling, large volume attack. Either way, the cyber criminals will demand that you cough up some bitcoin to avoid or stop the ransom attack.
Partial-Link Saturation Leads to Performance Degradation
Sub-saturating DDoS attacks cause network congestion and service degradation. This is especially important in a Carrier (Internet Service Provider or Hosting Provider) environment because 1) even small attacks can saturate a customer downstream, and we all know that in an always-on world, network reliability is crucial for subscribers, 2) DDoS traffic is costly to transit across the network, and 3) downtime impacts Service Level Agreements (SLAs). In the highly competitive Carrier arena, SLAs often promise optimum network reliability; the only way to guarantee that is by using an always-on, in-line DDoS mitigation appliance.
Solutions for Effective DDoS Mitigation
The fact is that legacy DDoS mitigation solutions, such as scrubbing, completely overlook the small, low-threshold attacks. Just because a DDoS attack is small doesn’t mean it isn’t a huge problem. It takes hackers only a few minutes to map a network, steal date, install malware, or discover your network vulnerabilities; by the time security staff notice a low-threshold attack in progress and divert traffic to be cleaned at an out-of-band scrubbing center, the damage has likely already been done.
To learn more about Corero, contact us today!