DDoS Attacks: Beware Headline Risk

Peak Attack Size Graph

If you follow the stock market, a term you will frequently hear is “headline risk.” Pharmaceutical and biotech stocks are a good example of this. A tweet from a prominent politician about drug prices coming down because of healthcare reform is instantly interpreted as bad news for the future earnings power of these companies, and the stocks sell off. That’s headline risk.

When it comes to understanding the distributed denial-of-service (DDoS) threat today, headlines provide a risk of a different sort. They can alter your perception of the issue and limit the options available to protect your business.

Since first emerging in the late 1990s, DDoS attacks have had the reputation of being a basic flood attack that tries to overwhelm a connection with traffic. Recent headlines about DDoS attacks haven’t helped change that perception. This trend towards very large attacks has been driven using reflection/amplification techniques that can magnify the amount of traffic at the hands of the attacker. For example, DNS resolvers are often used by attackers to spoof victim IP addresses. By sending DNS queries to open resolvers the response sent to the victim’s server may be 50X the size of the original query. In fact, this year’s Worldwide Infrastructure Security Report showed increased attack activity on all reflection/amplification protocols with DNS remaining the most commonly used, with NTP close behind.

With the emergence of IoT botnets like and LizardStresser, we’ve seen a new way for attackers to launch massive attacks. Embedded IoT devices are highly vulnerable, generally always turned on and the networks where they reside offer high-speed connections, which allows for a relatively high amount of DDoS attack traffic volume per compromised device. Against this backdrop, it’s easy to see why massive attack size is dominating the DDoS discussion.

In this case thinking that the headlines tell the full story presents serious risk to network operators. Yes, massive attacks are here to stay, and yes, they’re getting large enough where they could become a national security issue. However, it is important for enterprise network operators to understand that a DDoS attack only has to be as large as your internet facing circuit.

Arbor’s ATLAS threat intelligence infrastructure gathers anonymized traffic data from more than 300 internet service providers, equaling approximately one-third of all internet traffic. Here are a few stats that show why DDoS is about more than very large attacks.

  • ATLAS recorded a DDoS attack every 6.3 seconds last year.
  • 88% were less than 2Gbps.
  • 80% were less than 1Gbps.

DDoS today is in fact a series of attacks that target not just connection bandwidth, but multiple devices that make up your existing security infrastructure, such as stateful Firewall/IPS devices, as well wide variety of applications that the business relies on, like HTTP, HTTPS, VoIP, DNS and SMTP. DDoS attacks that target business-critical applications are often referred to as “low and slow” attacks. They target applications with what look like legitimate requests until they can no longer respond. High volumes are not required to cause serious operational damage to an unprepared organization.

The hottest trend in DDoS is the multi-vector attack, combining flood, application and state exhaustion attacks against infrastructure devices all in a single, sustained attack. These attacks are popular because they difficult to defend against and often highly effective.

All of this calls for on-premise DDoS protection. It provides the first line of defense against volumetric attacks while protecting Layer 7 applications from “low and slow” attacks that cannot be effectively mitigated from the cloud. Finally, by deploying Intelligent DDoS Mitigation Systems on-premise, in front of the firewall/IPS, you protect the existing security infrastructure while maintaining availability of critical business applications.

Effective DDoS defense calls for agile protection from the cloud to the data center. Without a tightly integrated, multi-layered mitigation infrastructure your organization is only partially protected. Look beyond the headlines on DDoS attacks if you don’t want to become one.

Leave a Reply

Your email address will not be published. Required fields are marked *