What is a DDoS Attack and Why Should You Worry?
A distributed denial-of-service (DDoS) attack occurs when multiple systems overwhelm the available bandwidth or other system resources of their target; as a result, an application, service or website may either crash or suffer a significantly degraded service. In an always-on world, where many organizations rely on constant Internet connectivity to conduct business online, DDoS attacks are a serious issue.
However, contrary to popular belief, DDoS doesn’t need to mean massive attacks that overwhelm huge swathes of the Internet. In fact, Corero research has consistently found that the vast majority of DDoS attacks are relatively low-volume and non-saturating; in 2018 Corero observed that 98% of the attacks attempted on our customers were less than 10Gbps, and the average attack duration continued to shorten, with 81% lasting less than 10 minutes.
DDoS Attack Size
The scale of an attack can depend on the motive behind it. Sometimes it’s a rival who wants to take down a competitor, or a cyber activist who wants to make a political statement; in these cases, the attack is likely to be a high-volume attack, i.e., one that is very noticeable and problematic. Alternatively, cybercriminals may launch lower volume attacks to just exhaust the resources of stateful infrastructure devices, including routers, intrusion prevention systems and firewalls, or consume server resources; such attacks negatively impact the overall application, web-site or service, experience for end-users, without necessarily taking them completely offline.
Also, low-threshold attacks can be used to distract IT security teams, render certain security devices inoperable, or even leave them wide-open, so the cybercriminals can map a network for vulnerabilities, or install malware that will enable them to breach a secure database to steal money or personal data. Regardless, such small attacks—if security teams notice them — consume IT security staff time for troubleshooting; Thus, at first glance a small DDoS attack may sound relatively harmless, but they can be just as troublesome as high-volume ones.
There are many common types of DDoS attack vectors, including TCP Flooding and DNS Amplification. In addition to this dominant volumetric style DDoS, a small minority of attacks focus on the applications themselves, known as “layer 7 DDoS”. Such attacks are typically more DoS, than DDoS, as the relatively low-volume of packets they need to be successful can be sent from a single device, rather than requiring the army of devices that volumetric attacks typically rely upon. Once an application attack establishes an initial TCP connection, it makes repeated requests which progressively consume the available resources until they are entirely depleted, rendering the application incapable of responding to legitimate user requests. These application-level DDoS attacks require a different approach to detect and mitigate, as they appear legitimate, do not consume excessive bandwidth, and are often hidden inside HTTPS encrypted packets.
DDoS attacks typically result in costly downtime, lost revenue, and reputation damage to organizations that rely on the Internet to do business. For example, a Corero 2018 survey of 300 security professionals (from a range of industries including financial services, cloud, government, online gaming, and media sectors) found that over ninety-percent of organizations incur costs of up to $50,000 for every successful DDoS attack and for many, it is much higher.
What Should You Do?
First and foremost, don’t rely on your firewall for DDoS protection! DDoS attacks have reached a level of complexity that firewalls simply cannot protect against. A modern next-generation firewall is focused on which services may be used, and by whom. Attackers know this and calculatedly misuse the allowed services, compromising the firewall performance, it’s security integrity and the availability of the downstream applications it is trying to protect.
Second, talk to your upstream Internet Service Provider, or your Managed Security Service Provider, to find out if they offer DDoS Protection as a Service which can remove attack traffic completely, before it even reaches your Internet connections.
If your provider cannot offer real-time automatic DDoS protection, then you can deploy this at your own network edge: Corero’s on-premise SmartWall® Threat Defense System automatically stops all types of volumetric DDoS, even blended multi-vector attacks which attempt to evade legacy DDoS protection, at the network perimeter. It protects the entire network infrastructure, including edge routers and firewalls, as well as the servers hosting your critical applications and services. And, with its privileged position of seeing all perimeter traffic, SmartWall provides unparalleled visibility into the traffic entering your network.
Corero provides best-in-class, automated, real-time DDoS protection solutions for customers across the globe; to learn how we can help you protect your organization from the increasing DDoS threat, contact us.
Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.