While huge distributed denial-of-service attacks driven by the NTP reflection technique have been behind a number of recent headline-grabbing incidents, a new report warns that midsize DDoS attacks are on the rise, and are being used to cloak more insidious enterprise attacks.
If you have a DDoS that's unexplained, chances are that you were compromised [by malware or theft].
senior vice president and senior technologist, Neustar
Telecommunications and distributed denial-of-service (DDoS) mitigation services provider Neustar Inc. recently surveyed nearly 450 companies across a number of industries for its third-annual report on DDoS attack trends. Three out of five respondents indicated they were on the receiving end of a DDoS attack last year, up from 35% from the year before. Unsurprisingly, nearly half of those surveyed indicated DDoS posed a greater threat when compared to the previous year.
Sterling, Va.-based Neustar also indicated it has mitigated twice as many DDoS attacks over the 100 Gbps bandwidth threshold so far this year when compared to the same period a year ago. The survey paints a different picture when it comes to DDoS attack size, with the number of respondents reporting attacks over 10 Gbps falling by half. DDoS attacks under 1 Gbps also fell from 87% in last year's report to 73% this year.
Intriguingly, midsize DDoS attacks -- between 1 and 10 Gbps in bandwidth -- accounted for more than a quarter of all DDoS incidents, up from only 8% last year. That finding did not surprise Rodney Joffe, senior vice president and senior technologist for Neustar, who noted that such attacks are intended to saturate the Internet connections of small- and medium-sized companies.
"That's typically the size of the bandwidth the companies have, between 1 Gbps and 5 Gbps," Joffe said. "Attackers hit them with something just large enough for them to not handle it."
Beware the DDoS diversion
According to Joffe, it's no coincidence that malicious actors are deploying DDoS attacks with just enough bandwidth to consume the connections of small- and medium-sized organizations. While DDoS has typically been associated with the hacktivist scene, he said an increasing number of financially motivated attackers use DDoS as a diversion for more sinister plots.
In fact, a majority of the companies Neustar surveyed experienced another attack technique that was used in conjunction with DDoS -- typically an associated theft of customer data, intellectual property or financial information, often related to a malware attack.
Joffe said DDoS diversions are typically used in two scenarios. First, attackers can attempt to overwhelm the websites of banking institutions, he said, with the goal of knocking them offline. Such attacks also tend to have a negative effect on customer service phone lines, especially those that rely on VoIP for telecommunications.
As a result, organizations are left unable to communicate with their banks in regard to transfer activities and account balances, creating an opportunity for attackers to target the bank's corporate customers and commit fraud without being noticed immediately. Joffe advised such organizations, particularly SMBs, to be aware of any unusual network behavior environments whenever relevant banking sites go down, and to discuss the situation with their bank as soon as possible to ensure no unauthorized transfers occurred.
The other -- more concerning -- scenario for enterprises, Joffe said, is when enterprises themselves are the target of DDoS attacks. When hacktivists initiate a DDoS attack they generally claim responsibility and make their motives obvious, he said. When a DDoS attack goes unexplained, Joffe added, chances are that it is merely being used to cloak a separate, simultaneous attack.
"If you have a DDoS that's unexplained, chances are you were compromised [by malware or theft]. When all of that is going on, the security guys are not watching for subtle, targeted attacks looking to drop malware [like Zeus] somewhere in the company," Joffe said. "You need people looking for incursions, too. While everyone is working on DDoS, the real danger slips through."
More than a third of respondents to the Neustar survey said they are now using dedicated DDoS mitigation services to ward off such attacks, while nearly 15% make use of a DDoS mitigation appliance. Still, a majority rely on traditional networking and security products -- namely firewalls, routers and intrusion prevention systems -- to fight DDoS attacks, a stat Joffe considered worrisome because those technologies are not designed to spot or mitigate DDoS traffic.
Regardless of the method or purpose, Neustar confirmed DDoS attacks are not only burdensome, but also costly. More than two-fifths of respondents said a DDoS-related outage costs $50,000 or more per hour, while more than 20% of DDoS attacks lasted a day or more, meaning the costs can spiral for companies that aren't prepared for such scenarios.
Joffe advised companies to seriously consider planning ahead by establishing a relationship with a dedicated DDoS mitigation service provider -- as well as incident response vendors to handle a potential malware cleanup -- if they are incapable of fending off such attack types internally.
"It needs a fair bit of thought and expense, and I'm not sure how many organizations do those things up front. In fact, most small and midsize companies, in my experience, hope they aren't targeted. That's their solution," Joffe said. "They really need to put [those provisions] in place beforehand because the worst time to look for help is during the middle of a firefight."