Attackers increasingly embrace small-scale DDoS attacks to evade detection
The growth in both large- and small-scale DDoS attacks continues its upward trajectory, according to a report released by Neustar.
The report reveals that the total number of DDoS attacks was up 241% in the third quarter of 2019, compared to the same period last year. The report also confirmed the continued increase in small-scale attacks and the use of multiple threat vectors, as new vectors continue to expand the attack surface that organizations must defend.
There has been a steady growth in the number of threats year over year, especially in attacks sized 5 gigabits per second and under. In Q3 2019, the number of those small threats was 303% higher than in the same period last year.
Small attacks, including growing numbers of application-layer incursions, accounted for 81% of total attacks in Q3 2019, up from 75% in the previous quarter and up from 69% a year ago.
Degrading performance with small-scale DDoS attacks
The increase in small-scale attacks has led to a decrease in the average attack size, from 10.5 Gigabits per second (Gbps) in Q3 2018 to 7.6 Gbps in Q3 2019.
Average intensity is also down, to 7.6 Million packets per second (Mpps) in Q3 2019, compared to 10.5 Mpps in Q3 2018. However, this quarter’s most intense attack, at 343 Mpps, was 24% higher than the most intense attack seen in the same period last year.
While the number of large-scale attacks continues to grow (attacks of 100 Gbps and above were up nearly 200% in Q3 2019, year over year, with the largest being 273 Gbps) smaller and more targeted attacks are growing at a faster rate.
These smaller strikes, which often hide application-layer attacks, are easier to mount and, importantly, often evade immediate detection, allowing them to continue for several days, causing increasingly more damage.
Only around a quarter of senior-level cybersecurity decision-makers indicated that they were “very likely” to notice these small attacks, meaning that many incursions may succeed in degrading the performance of specific services and negatively affecting the user experience.
Online gaming platforms, for example, are particularly sensitive and see frequent DDoS assaults, but latency can be costly for almost any type of business. A DDoS mitigation service that is “always on” within the flow of traffic is the only way to ensure that these incursions are detected and blocked.
Multiplying threat vectors
In Q3 2019, more than 86% of all attacks mitigated used two or more threat vectors, including 8% featuring five or more vectors.
In addition to new application-layer threats, new volumetric and protocol/state exhaustion vectors, such as DDoS reflection/amplification attacks, are emerging.
Vectors that feature an amplification factor enable a small request to deliver a large payload. In reflection/amplification attacks, attackers spoof their IP address to make it appear as if the original request came from the target, so the response is directed to the target rather than the attacker.
Emerging threats in this category include attacks on Apple Remote Management services, Web Services Dynamic Discovery, the Ubiquiti Discovery Protocol, the Constrained Application Protocol and HTML5 hyperlink auditing ping redirection.
DDoS attacks of all sizes and types are increasing. This quarter, for the first time, the number of NISC survey respondents who indicated that they had ever been on the receiving end of a DDoS attack was greater than the number who said they had not.
The percentage admitting to an attack jumped to 59% in this quarter’s survey, compared to an average of 46% over the past 14 months of survey data.
“This is not a time to be complacent. Q4 through the beginning of Q1 is traditionally the time when DDoS attacks hit the hardest,” said Rodney Joffe, senior vice president, senior technologist and fellow at Neustar.
“There are nearly 20 billion IoT devices in use across the world right now, and many of them still use the same generic, factory-issued security features they were built with. It no longer takes an experienced, savvy, cybercriminal to orchestrate a DDoS attack — a novice hacker can now rent a cloud-based botnet for about $25 an hour.”
“Furthermore, we’re seeing continued growth of smaller, more targeted attacks capable of evading defenses and targeting a vulnerable piece of infrastructure or just degrading performance.
“Even small-scale incursions can destroy customer confidence and create a poor user experience, so businesses that do not have an ‘always on’ DDoS mitigation service already should consider engaging one,” added Joffe.