Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Hit-And-Run Tactics Fuel Growth In DDoS Attacks

A majority of organizations in Imperva DDoS study suffer multiple consecutive attacks.

Many threat actors behind distributed denial of service (DDoS) attacks against enterprises appear to be increasingly employing hit-and-run tactics to make their campaigns more effective.

Security firm Imperva recently analyzed data collected from its customers while mitigating DDoS attacks on their networks between April 2015 and March 2016. The data showed a 211% increase year over year in the number of DDoS attacks directed against its customers. On average, Imperva mitigated about 445 DDoS attacks per week over the one-year period.

At least some of the growth in the number of DDoS attacks recorded by Imperva had to do with the increased use of hit-and-run tactics by threat actors. These are attacks where a single assault is executed in multiple smaller and consecutive attack-bursts, according to Imperva.

The goal in using the tactic appears to be to exhaust mitigation teams by keeping them on high alert status for prolonged periods of time. Attackers could also be employing the tactic to confuse mitigation teams and divert attention away from other, more surreptitious malicious activity directed against their networks, Imperva said in its report.

More than 40% of the DDoS victims that Imperva counted last year in fact were attacked more than one time. About 16% were targeted at least five times or more. A comparison of DDoS data from the four quarters that Imperva inspected showed a gradual uptick in the use of such hit-and run tactics, the company noted.

“We have been seeing hit-and-run attacks for the last four quarters,” says Tim Matthews, vice president of marketing at Imperva. “They are really an evolution of multi-vector attacks, where criminals realize that large frontal attacks alone may no longer be successful.” 

The increased use of DDoS-for-hire services also contributed to the overall uptick in DDoS attacks last year, according to Imperva. The number of attackers using paid “booters” or “stressers” to direct DDoS traffic against specific targets jumped from around 64% in the second quarter of last year to 93% in Q1 2016.

With some booter services starting at just $5 for a minute-long attack, many of those engaged in such activity are likely non-professionals, Imperva said in its report.

The biggest impact for enterprises from such attacks is potential revenue loss, Matthews says. “This is especially pronounced for companies that depend on uptime for revenue, notably gaming and ecommerce companies,” he says.

In addition to an increase in overall numbers, DDoS attacks also increased in size.

Many of the network-layer attacks that Imperva handled for customers last year exceeded 200 Gbps, with one even exceeding a massive 470 Gbps in size. That attack is the largest that Imperva has seen to date, according to Matthews. Attackers often used small network packets to maximize packet forwarding rates and throughput capacity.

In terms of sheer number, however, application-layer assaults accounted for 60% of all DDoS attacks that Imperva mitigated last year.  

“Attackers are continuing to evolve,” Matthews says. “The sophistication of attacks, and the targeting of applications rather than networks, means that simple mitigation techniques that used to work – like configuring routers or firewalls to block attacks – are likely not working, and may offer a false sense of security.”

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2016 | 4:17:12 AM
DDoS Attacks

DDoS Attacks is terrible for a young startup..thank you for your tips ! 

US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (, contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.