Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Hit-And-Run Tactics Fuel Growth In DDoS Attacks

A majority of organizations in Imperva DDoS study suffer multiple consecutive attacks.

Many threat actors behind distributed denial of service (DDoS) attacks against enterprises appear to be increasingly employing hit-and-run tactics to make their campaigns more effective.

Security firm Imperva recently analyzed data collected from its customers while mitigating DDoS attacks on their networks between April 2015 and March 2016. The data showed a 211% increase year over year in the number of DDoS attacks directed against its customers. On average, Imperva mitigated about 445 DDoS attacks per week over the one-year period.

At least some of the growth in the number of DDoS attacks recorded by Imperva had to do with the increased use of hit-and-run tactics by threat actors. These are attacks where a single assault is executed in multiple smaller and consecutive attack-bursts, according to Imperva.

The goal in using the tactic appears to be to exhaust mitigation teams by keeping them on high alert status for prolonged periods of time. Attackers could also be employing the tactic to confuse mitigation teams and divert attention away from other, more surreptitious malicious activity directed against their networks, Imperva said in its report.

More than 40% of the DDoS victims that Imperva counted last year in fact were attacked more than one time. About 16% were targeted at least five times or more. A comparison of DDoS data from the four quarters that Imperva inspected showed a gradual uptick in the use of such hit-and run tactics, the company noted.

“We have been seeing hit-and-run attacks for the last four quarters,” says Tim Matthews, vice president of marketing at Imperva. “They are really an evolution of multi-vector attacks, where criminals realize that large frontal attacks alone may no longer be successful.” 

The increased use of DDoS-for-hire services also contributed to the overall uptick in DDoS attacks last year, according to Imperva. The number of attackers using paid “booters” or “stressers” to direct DDoS traffic against specific targets jumped from around 64% in the second quarter of last year to 93% in Q1 2016.

With some booter services starting at just $5 for a minute-long attack, many of those engaged in such activity are likely non-professionals, Imperva said in its report.

The biggest impact for enterprises from such attacks is potential revenue loss, Matthews says. “This is especially pronounced for companies that depend on uptime for revenue, notably gaming and ecommerce companies,” he says.

In addition to an increase in overall numbers, DDoS attacks also increased in size.

Many of the network-layer attacks that Imperva handled for customers last year exceeded 200 Gbps, with one even exceeding a massive 470 Gbps in size. That attack is the largest that Imperva has seen to date, according to Matthews. Attackers often used small network packets to maximize packet forwarding rates and throughput capacity.

In terms of sheer number, however, application-layer assaults accounted for 60% of all DDoS attacks that Imperva mitigated last year.  

“Attackers are continuing to evolve,” Matthews says. “The sophistication of attacks, and the targeting of applications rather than networks, means that simple mitigation techniques that used to work – like configuring routers or firewalls to block attacks – are likely not working, and may offer a false sense of security.”

Related stories:



Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/3/2016 | 4:17:12 AM
DDoS Attacks

DDoS Attacks is terrible for a young startup..thank you for your tips ! 

44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...