What’s Been Shaping the DDoS Threat Landscape Lately?

Ddos threat intelligence trends forecast

What’s happening to the Distributed Denial of Service (DDoS) landscape today, compared to previous years? For one thing, there does seem to be greater awareness of the persistent and growing problem of DDoS attacks. The conflict between Russia and Ukraine has thrust cyberwarfare into the limelight, with much news about DDoS attacks on both sides. This news of course increases awareness. However, some organizations do not understand that awareness and DDoS incident planning is not sufficient to protect their business in the event of an attack. A plan without actual defensive protection in place is just a plan to triage and clean up the post-attack mess. Without effective DDoS protection to detect and mitigate DDoS traffic, as soon as an attack starts, the only people who actually have the control are the cybercriminals. It’s sort of like closing the barn door after the horses have escaped. 

Another common error that organizations make is that they build their DDoS incident plans in anticipation of a high-volume and bandwidth-crippling attack; the kind that takes a website, service, or key business application offline. However, our threat intelligence analysts see that the majority of attacks are small bandwidth, sub-saturating attacks that are able to escape detection and/or mitigation (whether by human security analysts or legacy mitigation systems). In fact, in our latest DDoS Threat Intelligence Report, Corero researchers observed that 82% of attacks last less than 10 minutes. A trend that has been consistent for the past several years.   

Short Attacks Can Disable Firewalls and Intrusion Prevention Systems 

We’ve observed that the greatest DDoS risk to organizations is a barrage of short duration, low volume attacks. Cybercriminals are known to use these shorter attacks to experiment and test for vulnerabilities within a network, looking for opportunities for further follow-up. Furthermore, even sub-saturating volumetric attacks lead to degradation of service availability, which can interfere with business continuity. While shorter duration, sub-saturating DDoS attacks don’t grab headlines like larger ones, they can be damaging enough to disable a firewall or intrusion prevention (IPS) system, either stopping all traffic completely, or potentially opening up a network for other nefarious activity. Worryingly, such attacks often go unnoticed by security teams, and even when they are spotted, the damage is already done. 

Options for DDoS Protection 

On a positive note, the fact that most attacks are sub-saturating means that they can be easily defended with an on-premises DDoS protection solution. High-performance mitigation appliances can detect and stop such attacks automatically, in seconds, so that organizations don’t have to 1) notice an attack and 2) rely on an on-demand cloud-scrubbing service that takes minutes – or tens of minutes – to begin mitigating DDoS traffic. It costs time and money each time cloud protection is engaged; the less you have to swing traffic out to a cloud scrubbing service, the more you save. That said, it is true that some organizations do need a hybrid combination of on-premises protection and a cloud scrubbing service, because they are less tolerant to the risk of a high-volume, saturating attack. 

Significant Chance of Repeat Attacks 

Even if an organization is victimized by short, sub-saturating attacks, they cannot rest assured that the attackers will relent. Another finding in our latest Threat Report is that once an organization is attacked there is a 29% probability that it will be attacked again, within 7 days. No organization wants one attack, never mind weekly or monthly barrages that chip away at IT resources and interfere with business continuity.  

A Worrying Increase in New Attack Vectors 

Our report also notes a net increase in the number of unique DDoS attack vectors seen in the wild and in the level of year-over-year DDoS activity.  Stay tuned for our next blog post, where we will discuss new DDoS attack vectors in greater detail.  

More info is available here in the Corero DDoS Threat Intelligence Report 

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.