DDoS Attacks Grow Shorter But Pack More Punch
If there was ever a riddle asking the listener to name something that has gotten bigger and shorter at the same time, distributed denial-of-service attacks (DDoS) would be an acceptable answer.
According to a new report from Arbor Networks on the third quarter of 2013, the average size of attacks now stands at 2.64 Gbps (gigabits per second) for the year, an increase of 78 percent from 2012. There has been a massive growth in the number of attacks monitored by the firm that are over 20 Gbps, to the tune of a 350 percent increase so far this year.
Meanwhile, the length of the vast majority of attacks (87 percent) has gone down to less than an hour.
“Shorter duration attacks are not inherently harder to detect but they can be harder to mitigate,” says Gary Sockrider, solutions architect for the Americas, Arbor Networks. “Many organizations today rely on network or cloud-based mitigation of DDoS attacks. Because they rely on rerouting attack traffic to scrubbing centers there is a small delay in mitigation while routing or domain name changes propagate.”
“Ideally you want to have mitigation capabilities on your own network that can react immediately without the need for redirection,” he continues. “I think it’s safe to say that if you have absolutely no mitigation capabilities, then shorter attacks are better. However, if your only protection has inherent delays, then shorter attacks potentially cannot be stopped.”
Barrett Lyon, founder of DDoS mitigation firm Prolexic Technologies and now CTO of Defense.net, says that shorter DDoS attacks also have the added benefit of minimizing an attacker’s exposure.
“The longer it runs the more things are obviously clogged up and the more reactive network engineers become,” he observes. “When network engineers start researching a problem like that – congestion in their network or why is this computer slow – it exposes the botnet and makes it much vulnerable than it would be otherwise. So if it’s a short attack but big, [attackers] can kind of quickly see and size up their target. They can quickly determine…what’s the best bang-for-the-buck when it comes to attacking.”
There has been a clear trend during the past several years of increasing attack sizes, Sockrider says.
“I believe there [is] a combination of factors enabling this trend,” he says. “First, there is increased availability of simple to use tools for carrying out attacks with little skill or knowledge. Second, there is a growing proliferation of DDoS for hire services that are quite inexpensive. Third, increasingly powerful workstations and servers that get compromised also have significantly faster connections to the internet from which to generate attacks.”
The largest monitored and verified attack size during the quarter was 191 Gbps, according to the firm. Fifty-four percent of attacks this year are more than 1Gbps, up from 33 percent in 2012. Some 37 percent so far this year are between 2Gbps and 10Gbps.
There has also been a general trend of attacks moving to the application layer. In fact, while volumetric attacks are still common, they are now frequently combined with application layer and state exhaustion attacks, Sockrider says.
In some cases, DDoS attacks have served as diversions meant to draw attention from other activities, such as bank fraud. For example, a report published in April by Dell SecureWorks noted how DDoS attacks were launched after fraudulent wire and ACH (automatic clearing house) transfers.
“Most people that follow DDoS trends are aware of the really high-profile attacks against government and financial institutions, but in reality the most common targets are actually business and e-commerce sites,” Sockrider says. “We’re also seeing increased attacks in the online gaming industry, where attacks are waged for competitive advantage. Additionally, some organizations are taking collateral damage because they reside in a data center and they happen to share infrastructure with a high-profile target. The bottom line is that in the current environment, every organization is a potential target.”
*This story was updated with additional commentary.
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message