DDoS attacks: slow and smart is the order of the day

DDoS attacks: evolution changes the attack vectors
DDoS attacks: evolution changes the attack vectors
Whilst the trend for distributed denial of service (DDoS) attacks has been towards larger and larger (aka volumetric) attacks in recent years, a new report just published claims to show that slow-and-low, with smart, short IP bursts, is now a lot more commonplace.

For its third annual set of research, Neustar interviewed IT professionals from around 450 companies, concluding that business are now seeing a more unstable and complex landscape.

Over the last year, says the report, DDoS attacks have evolved in terms of their strategy and tactics, with IT professionals seeing increased media reports of 'smokescreening' - where criminals use DDoS attacks to distract IT staff while inserting malware to breach bank accounts and customer data.

More than half of attacked companies reported theft of funds, data or intellectual property. Such cyber-attacks are intense but shorter-lived, more surgical than sustained strikes whose goal is extended downtime.

More than 47 percent of respondents said they viewed DDoS attacks as a greater threat than in 2012, whilst another 44 percent believe the problem is just as serious. In 2013, DDoS continued to cripple websites, shut down operations and cost millions of dollars in downtime, customer service and brand damage.

According to Rodney Joffe, Neustar's senior technologist, when there's a tremendous storm, most people run around the house making sure all the windows are closed and you have a flashlight ready.

"You're not worried about anything else. DDoS attacks are similar. They create an all-hands-on-deck mentality, which is understandable but sometimes dangerous," he said, adding that with DDoS attacks, the stakes are high, as if you are a criminal, why mess around with extortion when you can just go ahead and steal-and on a much greater scale?

Neustar's analysis also shows a trend towards shorter DDoS attacks, but also more attacks from 1Gbps to 5Gbps - that is, quicker, more concentrated strikes.

"While it's too soon to say for sure, this could stem from a highly damaging tactic, DDoS smokescreening," says the report, adding that smokescreening is used to distract IT staff whilst the criminals grab and clone private data to siphon off funds, intellectual property and more.

Solutions

One solution, concludes the report, is for organisations to install dedicated DDoS protection, as scrambling to find a solution in the midst of an emergency only adds to the chaos-and any intended diversion.

According to Sarb Sembhi, a director of Storm Guidance, the report tracks some interesting trends.

"If you look at large companies suffering attacks, it is clear that the DDoS methodologies being used are getting very sophisticated," he said, adding that a key aspect is that they are often relatively slow - but smart - in nature.

"With larger companies it is clear that the cyber-criminals are doing their research. They are clearly also testing their technology with smaller companies, and then using those companies' IT systems as their own assets to launch other attacks," he said.

Sembhi went on to say that his observations also suggest that larger companies are now starting to install layers of protection - as the report recommends - to remediate against a DDoS attack when it takes place.