DDoS attacks: why denial of service is not always the attacker’s aim

Published: Tuesday, 19 May 2015 07:47

Dave Larson, CTO at Corero, explains why DDoS attacks are often a diversionary tactic, allowing other attack vectors to be placed on the network unnoticed.

Organizations need to take a closer look at the problem of business disruption resulting from the external DDoS attacks that every online organization is unavoidably exposed to when they are connected to an unsecured or ‘raw’ Internet feed. Proper visualization and analytics are key components of any realistic DDoS defense / defence.  DDoS event data allows security teams to see all threat vectors associated with an attack - even complex hybrid attacks that are well disguised in order to achieve the goal of data exfiltration. However, many legacy DDoS defense solutions are not focused on providing visibility into all layers of an attack; they are strictly tasked with looking for flow peaks on the network. Unfortunately, if all you are looking for is anomalous bandwidth spikes, you may be missing critical attack vectors that are seriously compromising your business.

In the face of this new cyber-risk, traditional approaches to network security are proving ineffective. The increase in available Internet bandwidth, widespread access to cyber-attack software tools and ‘dark web’ services for hire, has led to the rapid evolution of increasingly sophisticated DDoS techniques used by cyber criminals to disrupt and exploit businesses internationally.

DDoS as a diversion

Today, DDoS attack techniques are more commonly employed by attackers to do a lot more than deny service. Attack attempts experienced by Corero’s protected customers in Q4 2014 indicate that short bursts of sub-saturating DDoS attacks are becoming more of the norm.  The recent DDoS Trends and Analysis report indicates that 66 percent of attack attempts targeting Corero customers were less than 1Gbps in peak bandwidth utilization, and with a duration of less than five minutes. Clearly this level of attack is not a threat to disrupt service for the majority of online entities. And yet the majority of attacks utilizing well known DDoS attack vectors fit this profile. So why would a DDoS attack be designed to maintain service availability if the true intent is ‘denial of service’? What’s the point if you aren’t aiming to take an entire IT infrastructure down, or wipe out hosted customers with bogus traffic?

Unfortunately, the answer is quite alarming.  For organizations that don’t take advantage of in-line DDoS protection positioned at the network edge, these partial link saturation attacks that occur in short bursts, enter the network unimpeded and begin overwhelming traditional security infrastructure. In turn, this activity stimulates un-necessary logging of DDoS event data, which may prevent the logging of more important security events and sends the layers of the security infrastructure into a reboot or fall back mode. These attacks are sophisticated enough to leave just enough bandwidth available for other multi-vector attacks to make their way into the network and past weakened network security layers undetected.  There would be little to no trace of these additional attack vectors infiltrating the compromised network, as the initial DDoS had done its job: to distract all security resources from performing their intended functions.

Adaptive DDoS and multi-vector techniques are becoming more common

Many equate DDoS with only a volumetric attack vector. This is not surprising, as these high bandwidth-consuming attacks are easier to identify, and defend against with anti-DDoS solutions. The attack attempts against Corero’s customers in Q4 2014 not only employed brute force multi-vector DDoS attacks, but there was an emerging trend where attackers have implemented more adaptive multi-vector methods to profile the nature of the target network’s security defences, and subsequently selected a second or third attack designed to circumvent an organization’s layered protection strategy. While volumetric attacks remain the most common DDoS attack type targeting Corero customers, combination or adaptive attacks are emerging as a new threat vector.

Empowering security teams with DDoS visibility

The role of the security team tasked with protecting against these sophisticated and adaptive attacks continuously evolves along with the DDoS threat landscape.  Obtaining clear visibility into the attacks lurking on the network is quickly becoming a priority for network security professionals. The Internet connected business is now realizing the importance of security tools that offer comprehensive visibility from a single analysis console or ‘single pane of glass’ to gain a complete understanding of the DDoS attacks and cyber threats targeting their Internet-facing services.  Dashboards of actionable security intelligence can expose volumetric DDoS attack activity, such as reflection, amplification, and flooding attacks. Additionally, insight into targeted resource exhaustion attacks, low and slow attacks, victim servers, ports, and services as well as malicious IP addresses and botnets is mandatory. Unfortunately, most attacks of these types typically slide under the radar in DDoS scrubbing lane solutions, or go completely undetected by cloud based DDoS protection services, which rely on coarse sampling of the network perimeter.   

Extracting meaningful information from volumes of raw security events has been a virtual impossibility for all but the largest enterprises equipped with dedicated security analysts. Next generation DDoS defence solutions can provide this capability in a turn-key fashion to organizations of all sizes. By combining high-performance in-line DDoS event detection and mitigation capabilities with sophisticated event data analysis in a state-of-the-art big data platform, these solutions can quickly find the needles in the haystack of security events.

With the ability to uncover hidden patterns of data, identify emerging vulnerabilities within the massive streams of DDoS attack and security event data, and respond decisively with countermeasures, next-generation DDoS first line of defense solutions provide security teams with the tools required to better protect their organization against the dynamic DDoS threat landscape.

http://www.corero.com