YTD Trends Indicate Attackers Favor Multi-Vector DDoS


Corero recently compiled its semi-annual DDoS Trends Report, which analyzes attempted distributed denial of service (DDoS) attacks on our customers during the first half of 2020 and compares them with statistics from previous years. We realize that many vendors publish DDoS trends reports but, not all perspectives are the same, even if the data is trustworthy; for a greater understanding of how different vendors interpret and report DDoS attacks, read our recent blog post on survivorship bias.

Our statistics indicate that cybercriminals have continued to adjust their attack methods over the past six months, by deploying more multi-vector attacks and launching a greater number of larger (10-100s of Gbps) attacks than in the past.

More specifically, the key findings are as follows:

  • 95% of attacks were less than 5Gbps, but larger ones, in the range of 10-100s Gbps, increased by 50%
  • An increasing use of packet sizes >128 bytes corresponds with the increase in higher volume attacks
  • Observed DDoS attacks remain short, with around 84% less than 10 minutes in duration
  • Multi-vector attacks continue to grow in popularity and the number of vectors used
  • The average provider customer is attacked eight times per day, which is significant, yet remains consistent over recent years

Based on these statistics, organizations need to recognize that most DDoS attacks continue to be relatively small, but this does not mean they don’t still cause significant disruption.  In addition, there appears to now be a growing threat of larger attacks (10-100s of Gbps), with an increased the risk of link saturation. Given that the majority of attacks are small in volume, there is a need for specialist DDoS mitigation systems that are able to detect such attacks among normal traffic, and remove them with surgical precision. This has proven to be a significant challenge for legacy DDoS protection solutions, that often fall short when it comes to effectively detecting and mitigating smaller, and increasingly sophisticated, attacks.

Popular choices, such as on-demand cloud-based DDoS scrubbing fall into this category of solutions that simply cannot achieve successful mitigation of the frequent, short duration attacks that now impact organizations every day. By the time they have reacted, swung that impacted traffic out to the cloud scrubbing service, and been able to commence mitigation, the targeted network has most likely already experienced significant disruption. Time-to-mitigation is critical with today’s DDoS threat landscape; detection and mitigation must happen in seconds, not minutes.

The fact that multi-vector attacks continue to increase, in popularity and sophisticated, is a big problem for organizations relying on legacy, or manual, approaches to DDoS protection to ensure their business continuity. Security analysts simply cannot react fast enough to the rapidly changing vectors and typically lack the tools to mitigate them, without impacting, or completely blocking, legitimate traffic.

As well as reporting on the types and sizes of attacks, the other major takeaway from this report is that DDoS attacks are not occasional, or “one-off” events; once a victim is targeted, they will likely be targeted again and again, if not within 24 hours, then with a reasonable degree of certainty within the following three months.

Any organization that has Internet-facing applications, or services, should be including a modern DDoS solution in their cybersecurity defenses that delivers always-on, real-time, automated detection and mitigation. There are a number of options to choose from, depending on an organization’s budget, risk appetite, and security needs. To block DDoS attacks of any size or duration, a hybrid solution is ideal: an on-premise component to detect and block attacks rapidly and accurately, combined with a cloud scrubbing service backup, for attacks that exceed the available link capacity.

For more insight on these latest trends, download a copy of Corero’s 2020 1H DDoS Trends Report here.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.