By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures. A report by CDNetworks in October revealed that more than half of all organisations had ended up as victims of DDoS attacks that regularly took their website, network or online apps down.
To deter cyber-criminals from launching powerful DDoS attacks, organisations began pouring in huge investments to shore up their defences against DDoS attacks. According to CDNetworks, average annual spending on DDoS mitigation in the UK rose to £24,200 last year, with 20 percent of all businesses investing more than £40,000 in the period.
Such investments also resulted in increased confidence amongst businesses in defending against business continuity threats such as DDoS attacks, but unfortunately, increased investments did little to stop the flow of such attacks. Kaspersky Lab's Global IT Security Risks Survey 2017 noted that the number of DDoS attacks on UK firms doubled since 2016, affecting 33 percent of all firms.
An analysis of DDoS attacks published by Alex Cruz Farmer, security product manager at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks which impact applications and the end-user while ignoring traditional Layer 3 and 4 attacks whose effectiveness is no longer guaranteed. This has ensured the unabated continuance of DDoS attacks on enterprises.
"The key difference to these (Layer 7) attacks is they are no longer focused on using huge payloads (volumetric attacks), but based on Requests per Second to exhaust server resources (CPU, Disk and Memory)," he said, adding that by their very nature, Layer 7 based DDoS attacks, such as credential stuffing and content scraping, do not last too long and do not flood networks with hundreds of gigabytes of junk network traffic per second like traditional DDoS attacks.
Farmer added that Layer 7 based DDoS attacks have become so popular among hackers that Cloudflare detected around 160 attacks occurring each day, with some days spiking up to over 1000 attacks. For example, hackers are frequently carrying out enumeration attacks by identifying expensive operations in apps and hammering at them with bots to tie up resources and slow down or crash such apps. For instance, a database platform was targeted with over 100,000,000 bad requests in just 6 hours!
Indeed, the first signs of short duration yet persistent DDoS attacks were observed in May last year. Imperva Incapsula's Global DDoS Threat Landscape Report, which analysed more than 17,000 network and application layer DDoS attacks, concluded that 80 percent of DDoS attacks lasted less than an hour, occurred in bursts, and three-quarters of targets suffered repeat assaults, in which 19 percent were attacked 10 times or more.
"These attacks are a sign of the times; launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber-vandalism in what is essentially a form of internet trolling," said Igal Zeifman, Incapsula security evangelist at Imperva to SC Media UK.
Sean Newman, director of Corero Network Security told SC Media UK that reports of increasing application layer DDoS attacks are only to be expected, as attackers continue to look for alternate vectors to meet their objectives.
"A perception that volumetric DDoS attacks are on the decline, is understandable, especially if that is your only lens on the problem. However, when your view is based on having deployed the latest generation of always-on, real-time, DDoS protection, you will find a rather different story.
"“With this lens on the problem, you will find that there is a significantly increasing trend for smaller, more calculated, volumetric DDoS attacks. In fact, Corero customers saw in increase in volumetric attacks of 50 percent compared to a year ago, with over 90 percent of those attacks being less than 5Gbps in size and over 70 percent lasting less than 10 minutes in duration," he added.
According to Joseph Carson, chief security scientist at Thycotic, organisations are adopting various mitigation techniques to defend against targeted and repeated DDoS attacks, but many a times, such technologies also consume a lot of bandwidth and system memory and thereby interfere with smooth functioning of databases and apps.
"A Target DDoS attack is something that is very challenging to mitigate against though luckily they are periodic meaning as they occur for a short amount of time usually from days to a few weeks. Techniques that are commonly used today are mitigation techniques using Access Control Lists, Rate Limiting and filtering source IP Addresses, though each of these are resource intensive and can prevent legitimate users from getting access to your services.
"A few important lessons can be learned from Estonia's DDoS experience back in 2007, be very careful as to what mitigation techniques you use as some companies' responses can be more costly than the DDoS attack itself so always respond to each attack with the appropriate mitigation response.
"Though the best way to really defend and protect against future DDoS attacks is to think in terms of geographic distribution and not have any centrally dependent location of service. Estonia learned this in 2007 and has now distributed itself beyond its own country's borders using Data Embassies," he added.
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast