Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/16/2013
05:30 PM
50%
50%

DDoS Attacks Grow Shorter But Pack More Punch

DDoS attack sizes are rising even as the duration of the attacks grows shorter, according to Arbor Networks

If there was ever a riddle asking the listener to name something that has become bigger and shorter at the same time, distributed denial-of-service attacks (DDoS) would be an acceptable answer.

According to a new report from Arbor Networks about the third quarter of 2013, the average attack size now stands at 2.64 Gbps for the year, an increase of 78 percent from 2012. The number of attacks monitored by the firm that are more than 20 Gbps experienced massive growth, to the tune of a 350 percent increase so far this year.

Meanwhile, the length of the vast majority of attacks (87 percent) has gone down to less than an hour.

"Shorter duration attacks are not inherently harder to detect, but they can be harder to mitigate," says Gary Sockrider, solutions architect for the Americas, Arbor Networks. "Many organizations today rely on network- or cloud-based mitigation of DDoS attacks. Because they rely on rerouting attack traffic to scrubbing centers, there is a small delay in mitigation while routing or domain name changes propagate.

"Ideally you want to have mitigation capabilities on your own network that can react immediately without the need for redirection. I think it's safe to say that if you have absolutely no mitigation capabilities, then shorter attacks are better. However, if your only protection has inherent delays, then shorter attacks potentially cannot be stopped."

Barrett Lyon, founder of DDoS mitigation firm Prolexic Technologies and now CTO of Defense.net, says that shorter DDoS attacks also have the added benefit of minimizing an attacker's exposure.

"The longer it runs, the more things are obviously clogged up and the more reactive network engineers become," he observes. "When network engineers start researching a problem like that -- congestion in their network or why is this computer slow -- it exposes the botnet and makes it much vulnerable than it would be otherwise. So if it's a short attack but big, [attackers] can kind of quickly see and size up their target. They can quickly determine ... what's the best bang for the buck when it comes to attacking."

A clear trend of increasing attack sizes has emerged during the past several years, Sockrider says.

"I believe there [is] a combination of factors enabling this trend," he says. "First, there is increased availability of simple-to-use tools for carrying out attacks with little skill or knowledge. Second, there is a growing proliferation of DDoS-for-hire services that are quite inexpensive. Third, increasingly powerful workstations and servers that get compromised also have significantly faster connections to the Internet from which to generate attacks."

The largest monitored and verified attack size during the quarter was 191 Gbps, according to the firm. Fifty-four percent of attacks this year are more than 1 Gbps, up from 33 percent in 2012. Some 37 percent so far this year are between 2 Gbps and 10 Gbps.

Another general trend is of attacks moving to the application layer. In fact, while volumetric attacks are still common, they are now frequently combined with application-layer and state exhaustion attacks, Sockrider says.

In some cases, DDoS attacks have served as diversions meant to draw attention from other activities, such as bank fraud. For example, a report published in April by Dell SecureWorks noted how DDoS attacks were launched after fraudulent wire and automatic clearing house (ACH) transfers.

"Most people that follow DDoS trends are aware of the really high-profile attacks against government and financial institutions, but in reality the most common targets are actually business and e-commerce sites," Sockrider says. "We're also seeing increased attacks in the online gaming industry, where attacks are waged for competitive advantage. Additionally, some organizations are taking collateral damage because they reside in a data center, and they happen to share infrastructure with a high-profile target. The bottom line is that in the current environment, every organization is a potential target."

*This story was updated with additional commentary.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
100%
0%
Drew Conry-Murray,
User Rank: Ninja
10/18/2013 | 12:21:36 AM
re: DDoS Attacks Grow Shorter But Pack More Punch
Is the shortening length of an attack a result of mitigation techniques, or because the attackers themselves stop the attack?
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.