Repeat attacks hit two thirds of DDoS victims

News by Steve Gold

DDoS attacks evolving steadily - low volume specialised attacks now commonplace says research report

Empirical research just published suggests that, whilst overall DDoS attack volumes are increasing steadily, new attack vectors are also constantly being used by cybercriminals.

The analysis - entitled `NSFOCUS DDoS Threat Report 2013' - is based on more than 244,000 real-life distributed denial of service attacks observed at Tier 1 or Tier 2 ISPs by the research firm during the year.

Researchers found that 79.8 percent of all attacks were 50 Mbps or less. In addition, although large size attacks get the most media attention, only 0.63 percent of all attack incidents were logged at 4 Gbps or more.

Perhaps most interestingly of all is that more than 90 percent of the observed attacks lasted 30 minutes or less - and that 63.6 per cent of all targeted victims are attacked more than once. This figure is in line with earlier figures from Neustar whose second annual report, entitled `DDoS Attacks & Impact Report - 2014: The Danger Deepens' - suggested  that once attacked, there is an estimated 69 percent chance of a repeat attack.

Delving into the report reveals that HTTP_FLOOD, TCP_FLOOD and DNS_FLOOD are the top three attack types - contributing to more than 87 percent of all attacks.

DNS_FLOOD attacks, however, significantly increased from 13.1 percent during the first half of the 2013 to 50.1 percent in the second half.

So why the short duration attacks?

The report suggests that, after analysing almost a quarter million DDoS incidents, a clear trend emerges, namely that that majority of DDoS attacks seen were short in duration, small in total attack size, and frequently repeating against the same target.

"These short and frequently repeating attacks often serve two purposes: First, to scout their victims' defence capabilities before more tailored assaults are launched, and second, to act as smokescreens or decoys for other exploitation," says the report.

The analysis adds that that many companies are using a combination of traditional counter-measures like scripts, tools and access control lists (ACLs) to handle network layer attacks - as well as on-premise DDoS mitigation systems for more prompt and effective mitigation against hybrid attacks (defined as a combination of network-layer and application-layer attacks).

The most interesting takeout from the report, notes, is that the `old guard' attack vectors - including the use of SNMP - remain an evolving constant.

According to Sean Power, security operations manager with DOSarrest, amplification attacks - such as SNMP - are not really that new.

"Legitimate SNMP traffic has no need to leave your network and should be prevented from doing so. This attack exists because many organisations fail to prevent this," he explained.

Power went on to say that the effectiveness of the attack stems from the fact that any Web site can be targeted and requires very little effort to produce excessive traffic, since it relies on third party unsecured networks to do most of the heavy lifting for the attack.

"Blocking these attacks is best done via your edge devices as far removed from the targets as possible," he said, adding that if the attack is large enough that it is overwhelming your edge devices, then you need to look at cloud-based technology for cleaning the traffic.

Also commenting on the report, Tom Cross, director of security research for Lancope, said that many people who launch attacks on the Internet do so using toolkits that make the process of launching attacks as easy as installing a software application and running it.

"DDoS attacks have become increasingly popular, there are many ways to launch them and lots of different tools circulating that launch attacks in different ways. As a consequence, anyone providing service on the Internet should be prepared for volumetric traffic floods involving any kind of Internet traffic," he explained.

Cross says that it is also important that people do not allow their networks to serve as reflectors that attackers can use to amplify their denial of service attacks.

"To that end, DNS, SNMP, NTP, and Voice over IP services in particular should be checked to make sure that they cannot be used by an anonymous third party as a reflector. Locking down these services is part of being a good citizen of the Internet," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews