Hackers are using DDoS to profile your network

By Dave Larson, CTO of Corero Network Security.

  • Monday, 6th July 2015 Posted 9 years ago in by Phil Alsop

Most associate the term ‘DDoS’ with system downtime, as they should because after all, the term actually indicates “Denial of Service”. A key factor that many are not aware of or neglect to contemplate is that attackers are getting smarter, and are utilising more sophisticated measures as they target, profile and infiltrate networks. Attackers don’t always want to completely deny service with the use of DDoS attacks; most often the goal is quite the opposite, they actually want the network to stay up, simply using DDoS as a distraction technique. By using DDoS as a diversionary tactic, they are able to map the floor plan of a targeted network, determine weak points and vulnerabilities that can be exploited and misdirect the efforts of the security team by overwhelming traditional IT security infrastructure and flooding logging tools with DDoS data.


Another misconception that people have regarding DDoS is that they equate it with only one type of attack vector – volumetric. Volumetric DDoS attacks can be identified easier and media coverage tends to only publicise this kind of high bandwidth attack.

Corero Network Security has recently has observed a change in how DDoS is being used by attackers as a mechanism for data exfiltration and breach activity. Corero has identified a use of brute force DDoS attacks as well as the implementation of more adaptive, multi-vector methods, it is by these means that attackers are using DDoS attacks to profile a target network’s security defences.

An initial attack of very high capacity may last around 15-20 minutes. After the initial ‘blast’ of sub saturating attack traffic, the attacker backs off and a second attack is launched with a much lower threshold. Sooner or later the security defences would permit the traffic to go through as it is characterised by the network security perimeter to be within the parameters of normal threshold network traffic. They key factor in this scenario is that the DDoS attack is not completely denying service as it does not wield enough volume to fully saturate the pipe—and there is a good explanation for this.

Partial saturation attacks like these have enough capacity to take down IPS’s, Web Application Servers, Firewalls, and other back end infrastructure. It is clear that attackers are creating sophisticated security evasion techniques that utilise both multi-vector and traditional DDoS attacks of high capacity. Further attacks are subsequently chosen based on their design to circumvent layered protection that may be in place. Attackers’ finely honed skills and sophisticated reconnaissance tools play a part in being able to tell when and where the network is responding, thus allowing them to profile networks, even to the degree of pinpointing the brand of security defenses in place.


The DDoS threat landscape is a broad and constantly evolving topic, but the idea that DDoS attacks are used as a diversionary tactic or profiling mechanism is frequently ignored or brushed aside. When looking at forensic archive data around DDoS attacks, you usually see things like brute force login attempts that occur at the same time as the DDoS attack itself – this is further evidence that the DDoS component of the incursion was never about the denial of service. Attackers are trying to circumvent defences and are looking for holes they can exploit, and DDoS is proving to be a fantastic smoke screen for making sure that all their incursions are obscured, or in many cases never even captured by the event logging tools that many organisations rely on to alert them of breach activity in the event their defences fail.

The dilemma facing many organizations, when it comes to implementing an effective DDoS defence strategy, is whether to deploy on-premises DDoS appliances or subscribe to a cloud based anti-DDoS provider.

With an on-demand Cloud DDoS defence service that sits out-of-band, human intervention plays a key factor. When an attack is detected, a human security analyst must make the decision to enable the cut-over to the Cloud anti-DDoS provider. The average time between detection and mitigation of an attack ranges to upwards of one hour, by the time your on-demand defences are in place, the attack has subsided and the damage is done.

An on-premises first line of defence approach prevents network and service outages due to DDoS attacks by blocking attacks in real time, while allowing the good traffic to flow uninterrupted. On-premises DDoS defence enables complete and sophisticated visibility for actionable security intelligence.

In 2014 the SANS Institute reported: “DDoS mitigation solutions integrating on-premises equipment and ISP and/or mitigation architectures are nearly four times more prevalent than on-premises or services-only solutions. The growing sophistication of DDoS attacks and the sensitive nature of potential disruption to business services require both local and upstream protections that work in sync.”

The hybrid approach to DDoS protection is a new tactic providing organizations the best of both worlds, by combining the resiliency and scale of cloud-based solutions with the real-time protection, sophisticated visibility, and the granular traffic inspection of on-premises solutions. The implementation of an always-on solution combined with on-demand cloud defense provides businesses with a means of safeguarding against the vast scope of DDoS attacks posed to their networks. With DDoS attacks now being delivered in various sizes and with differing intentions, ensuring that the appropriate prevention best practices are utilized correctly could well be what saves an organisation from falling victim to a major breach of information.

As DDoS attack techniques continue to evolve, it is necessary for organizations to begin matching their defence posture to keep up with these threats. The Internet connected business can no longer afford to wait until the attack has occurred to implement security measures – the protection must begin before the attack has been executed. Organisations need to prepare themselves with modern real-time DDoS detection and mitigation capabilities that incorporate both intelligent and automated filtering and detailed security forensics to defeat these new and advanced evasion threats.