The Dangers of Short-Duration, Sub-Saturating DDoS Attacks

Short-duration, sub-saturating DDoS attacks are particularly dangerous to your network, and these attacks are common. According to Corero research:

  • 93% of DDoS attacks experienced by Corero customers are less than 1Gbps in size;
  • 96% of these attacks lasted an average of 30 minutes or less.

Industry analysts also agree: DDoS attacks are common, and most of them are small in size. During a recent webinar on Service Provider Deployment of DDoS Mitigation, Jeff Wilson, Senior Research Director of Cybersecurity Technology at IHS, commented that “There is a low hum that is the day-to-day DDoS problem that everybody deals with.”

Many organizations aren’t even aware that their sites are being attacked, because the attacks can be perceived as only annoying “noise” in the IT background; the attacks are not large enough to get the attention of IT security staff. That doesn’t mean they should be ignored, however. Unseen, low-level DDoS attacks cause two problems:

  1. This type of DDoS attack drags down a network’s speed, and in a carrier network they can be supersaturating to a small customer downstream;
  2. More importantly, low-level DDoS attacks often serve as a smokescreen for a more damaging attack.

Dark DDoS Attacks

Low-level attacks are usually not intended to necessarily deny service, but rather are used to distract security personnel and their logging tools. We call this kind of attack “Dark DDoS” because it acts as a smokescreen to distract IT teams from the real breach that’s taking place, which could involve data being exfiltrated, networks being mapped for vulnerabilities, or a whole host of other potential risks due to hackers’ actions.

The problem of Dark DDoS is only going to worsen as we see an increased automation of DDoS attacks. Corero’s Security Operations Center is already seeing a significant rise in automated DDoS tools being deployed. These allow attackers to leverage one attack technique, such as a DNS flood, and if unsuccessful they automatically enact a second technique such as a UDP flood. They continue to leverage different attack techniques automatically until their target’s environment is successfully compromised. These attack tools know when they’re successful and they react in real-time. No human intervention can compete with this; a manual, reactive approach simply isn’t fast enough.

Protect Yourself from DDoS Attacks

As hackers look for new ways to leverage DDoS attacks, they have realized that short duration, sub-saturating attacks are more difficult to defeat, because they evade traditional cloud-based scrubbing centers. It stands to reason that if an attack is not seen, then it’s not cleaned up. Even if a scrubbing center solution is activated—usually 30 minutes after the attack has been initiated—the damage has already been done. The best way to defend against these low-level, sub-saturating attacks is to use a real-time, inline DDoS mitigation solution that automatically and immediately detects and blocks such attacks.

To learn more, read this Info Security Magazine article on “Dark DDoS – a growing cyber security threat for 2016.”