Despite detecting an increase in large distributed denial of service attacks in the first quarter of 2017, Corero Network Security has reported that the greatest DDoS threat currently comes from smaller attacks designed to either hide other malicious activities or set the stage for future malicious actions.
Corero, which specializes in DDoS prevention, noted in its just released Q4 2016 - Q1 2017 Trends Report that these "sub-saturation" attacks typically fall within a certain sweet spot: They are short enough in duration and small enough in size to avoid detection by mitigation tools, yet they are still significant enough to serve the attacker's purpose. According to the company, many legacy and homegrown mitigation tools will not respond to attacks that are less than one Gbps in size and under than 10 minutes in duration, because they do not meet a certain pre-programmed threshold.
"...They are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity," said Ashley Stephenson, CEO at Corero Network Security, in a company press release. In other cases, the attackers may simply be testing a network for weaknesses, in anticipation of a future malicious action down the line.
But even if the DDoS attack is detected, network administrators may too busy responding to the outage to realize that there is actually a bigger threat at hand. In an email to SC Media, Stephanie Weagle, vice president at Corero, cited UK-based telecom company TalkTalk as a recent example. In 2015, hackers stole the company's customer data using a DDoS attack as an effecitve distraction.
“Short DDoS attacks might seem harmless, in that they don't cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions," Stephenson explained. "Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.”
According to the report, 80 percent of attempted DDoS attacks that were launched against Corero customers in Q1 2017 were less than 1 Gbps in volume, while 71 percent lasted 10 minutes or less. In Q4, 77 percent of DDoS attacks were less than 1 Gbps in volume, while 73 percent were 10 minutes or less in duration.
While smaller attacks remain the norm, Corero did see a 55 percent rise in DDoS attacks that were 10 Gbps or larger in Q1, compared to the previous quarter.
Corero customers averaged 124 attacks per month in Q1, an increase of nine percent over Q4 2016.