DDoS attacks 'more frequent and sophisticated in nature'

Corero Network Security has released the findings of its inaugural Quarterly DDoS Trends and Analysis Report. Through the analysis of customer data from the fourth quarter of 2014, Corero found that attackers are evolving their use of DDoS attacks to circumvent companies’ cybersecurity solutions, disrupt service availability and infiltrate victim networks.

  • Tuesday, 24th March 2015 Posted 9 years ago in by Phil Alsop

Corero’s Quarterly DDoS Trends and Analysis Report is based on data from the company’s hosting, datacenter, Internet service provider and online enterprise customers around the world, and analysis from its state-of-the-art Security Operations Center. The company’s observations from this data include:


Shorter Duration and Partial Saturation Attacks Increasing in Frequency
DDoS previously was a fitting name for these attacks; they denied access to websites or Web-based solutions. While this is still the case in some circumstances, organizations are also being targeted with a new breed of DDoS attack traffic. Corero’s customer data pointed to two new trends in DDoS attacks: short bursts of attack traffic instead of prolonged events, and partial link saturation attacks versus completely flooding the network, as the term Denial of Service historically suggests.
Instead of longer attacks, approximately 96 percent of DDoS attacks targeting Corero’s SmartWall Threat Defense System (TDS) customers were 30 minutes or less in duration. Compounding the problem is the fact that Corero customers see an average of 3.9 attack attempts per day. For organizations that rely on out-of-band defenses or anti-DDoS scrubbing lanes to re-route traffic after an attack is identified, it can take up to an hour to successfully transition to a cloud-based DDoS mitigation solution. This slower response time means that even leading cloud-based DDoS defense tools could miss an attack completely, and organizations would suffer the outages these solutions are intended to prevent.


Additionally, 79 percent of the DDoS attack attempts targeting Corero’s customers between October 1 and December 31, 2014 were less than 5Gbps in peak bandwidth utilization. These attacks were intended to partially saturate the Internet link and distract corporate security teams, but leave enough bandwidth available for a subsequent attack to infiltrate the victim’s network and access sensitive customer data or intellectual property.


DDoS for Profiling Purposes
While volumetric DDoS attacks are easier to identify and often garner the most attention, Corero found that attackers are beginning to leverage more adaptive and multi-vector attacks against their targets. This enables them to profile a victim’s network security defense strategy and subsequently launch additional attacks that can bypass the organization’s cybersecurity tools.


“Denial of Service attacks have been a threat to service availability for more than a decade. However, more recently these attacks have become increasingly sophisticated and multi-vector in nature, overcoming traditional defense mechanisms or reactive countermeasures,” said Dave Larson, CTO and Vice President, Product, Corero Network Security. “As our customers’ experiences indicate, the regularity of these attacks simply highlights that there is a growing need for protection that will properly defeat DDoS attacks at the network edge, and ensure the accessibility required for the Internet connected business, or the Internet providers themselves.”


To defend against both traditional and evolving DDoS attack methods, Corero recommends organizations pursue the following measures:

Consider implementing technology to detect, analyze and respond to DDoS attacks by inspecting raw Internet traffic at line rate - identify and block threats within the first few packets of a given attack.
Introduce a layered security strategy focusing on continuous visibility and security policy enforcement to establish a proactive first line of defense capable of mitigating DDoS attacks while maintaining full service connectivity, availability and delivery of legitimate traffic.
Ensure complete application and network layer visibility into DDoS security events. This best practice will also enable forensic analysis of past threats and compliance reporting of security activity.