Why Multi-Vector DDoS Attacks are Evading Detection
There are many types of distributed denial of service (DDoS) attacks, and each year they become more sophisticated and persistent. In recent years bad actors have increasingly been launching multi-vector attacks, in which they combine different techniques to target a server, service or network. In 2019 Corero reported multi-vector attacks increase 13% year over year, against our customers. That’s an important data point for organizations that are debating which form of DDoS mitigation solution to implement, because not all solutions are capable of detecting and blocking multi-vector attacks and certainly not fast, or accurate, enough to prevent any impact.
Multi-vector attacks often exhibit more variability in rate as different vectors join and leave. For example, an attacker may start with NTP, then switch to a DNS reflection attack, then switch to a SYN Flood, for good measure. Sometimes they layer different vector types and sometimes they just vary the attack vector itself in an attempt to evade detection. Multi-vector attack rates are often additive in terms of bandwidth and packet rate. The total attack rate will be the sum of vector1 + vector2 + vector3, etc. The aggregate amplitude often varies up to 10X during the attack, as vectors surge and fade. The most common contributors to multi-vector attacks continue to be volumetric UDP amplification vectors including DNS, CLDAP, NTP, Chargen, and SSDP. Attackers also like to mix resource exhausting TCP SYN floods, from spoofed sources, to make tracking and mitigation more challenging. These vectors and other variants may be added or removed multiple times during a typical 10-minute attack period.
By dynamically and automatically changing parameters and vectors in response to the cyber-defenses they encounter, cybercriminals make it much more difficult to mitigate, or even detect their attacks, in the first place. Such attacks present a significant challenge for manual and legacy detect-and-redirect solutions. And, with the mitigation capacity limitations of detect-and-redirect solutions, it’s difficult for security analysts to make the correct decision about which mitigation method to use (e.g., redirect and scrub vs. blackhole all the traffic to the target) based on the current attack rate, because that can vary on a minute-by-minute basis. Trying to manually balance the security defenses in response to these dynamic attacks is virtually impossible given their automated nature.
The only way to effectively combat multi-vector attacks, is with an automatic DDoS solution that accurately recognizes each and every vector and responds in real-time, with the appropriate mitigation, without impacting any of the legitimate traffic. Such solutions can prevent any impact from DDoS attacks and significantly reduce the need for specialist security analysts, giving those IT security staff more time to defend against other cyber threats.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.
Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.