The greatest DDoS risk for organisations is the barrage of short, low volume attacks which mask more serious network intrusions.
Despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98%) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume. In addition, almost three quarters (71%) of the attacks mitigated by Corero lasted 10 minutes or less.
Due to their small size, these sub-saturating attacks tend to go undetected by IT security staff and many DDoS protection systems. However, they are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity.
“Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives,” explains Ashley Stephenson, CEO at Corero Network Security.
Sub saturating DDoS attacks
In total, Corero customers experienced an average of 124 DDoS attack attempts per month, equivalent to 4.1 attacks per day during Q1 of 2017. This is a 9 percent increase in attacks over Q4 2016.
Stephenson continues: “Rather than showing their capabilities in full view, through large, volumetric DDoS attacks that cripple a website, using short attacks allows bad actors to test for vulnerabilities within a network and monitor the success of new methods without being detected. Most cloud-based scrubbing solutions will not detect DDoS attacks of less than 10 minutes in duration, so the damage is done before the attack can even be reported.”
“As a result, the raft of sub-saturating attacks observed at the beginning of this year could represent a testing phase, as hackers experiment with new techniques before deploying them at an industrial scale.”
While low volume attacks remain the norm, Corero recorded a significant (55%) increase in large DDoS attacks of more than 10 Gbps per second, in Q1 of 2017, compared to the previous quarter. In addition, while the majority of attacks recorded lasted less than 10 minutes, the data also revealed a slight increase in attacks lasting 20 minutes or longer, with these attacks now accounting for nearly a quarter (22%) of all the attacks recorded.
Increased risks for GDPR
From May 2018, any organization that operates in Europe or has European resident data could be subject to severe penalties of up to 4 percent of global turnover if they fail to protect the data of EU residents.
Stephenson states: “With GDPR on the horizon, the risk of data theft resulting from sub-saturating DDoS attacks is extremely serious, and claiming to be ignorant of malicious activity on your network will not substitute a defence. To keep up with the growing sophistication and organization of well-equipped and well-funded threat actors, it’s essential that organizations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.”