Small is the New Big, When it Comes to DDoS Attacks

Cybercriminals launch Distributed Denial of Service (DDoS) attacks for a variety of reasons; out of spite, competitive advantage, hacktivism and, increasingly, for financial gain. Historically, attacks were predominantly brute-force, using high volumes of traffic to block legitimate users accessing a web server, service, or application.  Increasingly though, as also reported by Corero’s cloud partner Neustar, and in-line with the general increase in the sophistication of the cybercriminal community , they are sub-saturating, resulting in the subtle degradation of network services or overwhelming the stateful nature of networking devices including Firewalls and Routers. Over recent years, Corero’s research into attacks attempted on our customers consistently indicates that the overwhelming majority (98%) of attacks are not high-volume, they are, in fact, less than 10 Gbps in size. These sub-saturating attacks don’t make the headlines but, make no mistake about it, they can do just as much damage.

Stealth Attacks Can Be More Effective

Many organizations aren’t aware of the shift in the DDoS threat landscape and, in many ways, that is the objective of the modern cybercriminal – create and use attack methods which fly under the radar of conventional protection solutions. Organizations should be very concerned about stealthy DDoS attacks, for several reasons:

Firstly, the techniques used are not only difficult to detect using manual or legacy approaches, they are near impossible for these older solutions to mitigate without resorting to blocking all incoming traffic to the target, effectively completing the attack for the perpetrator.

Secondly, small attacks could take down a company’s firewall in a matter of seconds, either blocking the flow of legitimate traffic or, possibly worse, leaving the network wide-open to infiltration, mapping, malware, or stealing of sensitive data. Clearly, this has the potential to be much more damaging than taking a website or service offline.

Thirdly, and most importantly, this stealthier DDoS traffic is still highly effective at impacting service and application performance. Any degradation of service can affect an organization’s ability to conduct business effectively online; that’s generally unacceptable in an Internet-connected world that expects a high degree of responsiveness. Even delaying system responses by a few seconds, or creating short periods of downtime, can be costly in terms of customer loyalty, lost revenue or damaged brand reputation.

These smaller attacks should also be a particular concern for Internet Service Providers and Hosting Providers. Although they are sub-saturating and don’t steal as much bandwidth individually; The aggregate impact due to the increased frequency of such DDoS traffic traversing their network can still be costly, in terms of network infrastructure upgrades and maintenance.  Plus, their reputations are at stake here, as we’ve previously reported, many organizations are under the impression that their providers are already protecting them from such attacks.

How to Defend Against Both Stealthy and High-Volume DDoS Attacks

A small DDoS attack is intentionally stealthy, so it is more likely to evade the detection of homegrown DDoS defense tools, or not reach the thresholds required to trigger on-demand cloud-based scrubbing solutions. And, in the case of cloud-based scrubbing solutions, it takes minutes, often ten or more, to swing the traffic over to the service and activate the required mitigation – by which time, the attack has already done its damage. If organizations don’t have the real-time, fine-grained, visibility into DDoS traffic, they could be suffering service impact and outages that they just dismiss as other IT issues.

Organizations working to maximize their online business continuity need to guard against all kinds of DDoS, not just the large brute-force attacks. Fortunately, the latest generation of DDoS solutions can defend against both high-volume and stealthy, sub-saturating, attacks, blocking them in a few seconds, or less.  And, on the rarer occasion that an attack does increase to the point where links are at risk of saturating, a fully integrated hybrid DDoS protection solution can deliver the optimal mix of fast and accurate always-on on-premises protection, with coordinated automatic cloud backup, to ensure even the largest of attacks is not successful.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.