Sub-Saturating DDoS Attacks Steal Bandwidth

DDoS attacks have been around for over 20 years, but they have evolved significantly. For example, as available bandwidth has increased, so too has the size of the largest DDoS attacks. Thanks in part to the Internet of Things (IoT), hackers are cranking up the size of DDoS attacks, by recruiting huge numbers of Internet-connected devices to form massive botnets. Recent attacks on and the OVH site (which was over 1 Tbps) are prime examples of such volumetric, botnet-driven attacks.

Size Doesn’t Always Matter

However, hackers don’t always want to just take an entire organization offline; sometimes they have other motives behind their DDoS attacks, such as stealing information to resell on the dark Web, or extorting money from their targets. That’s why there is actually a new breed of DDoS, that is often transiting our networks unnoticed. Attackers today are more experienced and well-funded, often taking the time to research their targets, before launching smaller, more surgical, attacks. Why? Because small, stealthy attacks are much less likely to trigger any legacy DDoS protection solutions or countermeasures that an organization, or their Service Provider, may have deployed. Legacy DDoS solutions don’t do a good job of mitigating these small attacks.

In a surgical DDoS attack, hackers take down the target’s assets while leaving Internet connectivity in place. Even if an attack does trigger a legacy DDoS scrubbing solution, the attacks are usually over in less than the time it takes (usually 10-30 minutes) for that mitigation to even activate. That leaves plenty of time for hackers to steal customer data or intellectual property, and/or install malware or ransomware. The TalkTalk attack of late 2015 was a prime example of a breach in which the hackers used DDoS as a smokescreen to hide their real objective. Therefore, it’s no surprise that Corero customer data, for blocked attacks, shows over 90% are less than 1 Gbps in size and over 95% are less than 30 minutes in duration.

Problems for Service Providers

Sub-saturating, surgical DDoS attacks can be a threat to any organization, and the impact on Service Providers can be even greater:

  1. Service providers have hundreds, thousands and, often, tens of thousands of downstream customers. This increases the chances that, at any point in time, unwanted DDoS traffic is traversing their network, consuming valuable resources and bandwidth.
  2. Many organizations are now expecting their service provider to deliver DDoS protection. In a recent Corero survey, 74% of responders stated they would like their service provider to eliminate DDoS traffic. And 52% of those surveyed stated they would be willing to pay a premium for such a service.

The Solution

Modern network threat protection is always-on, real-time and can respond instantaneously, blocking large spikes in DDoS traffic and small, smokescreen attacks. That’s a huge improvement over the 20-30 minutes it typically takes for legacy DDoS solutions to be activated! Service Providers can now deploy such technology at the peering edge of their networks, to protect their own infrastructure and prevent any DDoS traffic from entering the networks of their downstream customers. With less strain on their existing network they can service more customers, and potentially delay additional costs from needing to expand their network infrastructure.

For more info on this topic, playback a recorded webinar, “Silent Sub-Saturating Attacks; the Silent Bandwidth Thief.”

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.