Application layer DDoS attacks are smaller than traditional network-based attacks, which try to exceed the available bandwidth. Organizations need to handle them differently.
When it comes to distributed
denial-of-service attacks, smaller attacks can cause just as much, if not more,
damage than enormous ones, according to a recent study.
DDoS attackers are focusing
less on bandwidth and shifting toward application layer attacks, Radware
said in its "2011 Global
Application and Network Security Report
," released Feb. 6. While some
organizations do incur massive DDoS attacks, most never experience a
high-magnitude attack, Ron Meyran, director of security products, wrote on the
The Radware Emergency
Response Team examined 135 attacks that occurred in 2011 and found that 76
percent were less than 1G bps in bandwidth, of which only 32 percent were less
than 10M bps, Radware said. Only 9 percent of attacks in 2011 were over 10G bps
in bandwidth. Organizations focused on the traditional methods of expanding the
network pipe to absorb malicious traffic needed to change their methods,
"A 5M bps HTTP
connection flood attack can also stop you dead in your tracks," the report
A little more than half, or
56 percent, of attacks targeted applications while 46 percent targeted the
network, the report found. Application-based attacks targeted the Domain Name
System, HTTP, HTTPS and Simple Mail Transfer Protocol.
While enormous DDoS attacks
tend to flood the network, the majority of organizations hit by attacks that were
less than 1G bps in size were targeted with a mix of network and application
flood attacks, Meyran said. While it is much easier for an organization to
detect and block a network flood attack, such as UDP, SYN or TCP floods, it's
harder to defend against real machines with real IP addresses launching
legitimate transactions on the application. "It's the users which are not
real," Meyran said.
"When evaluating DoS
attacks, it is important to understand both the size and type of attack,"
according to the report.
That's not to say attackers
are abandoning large attacks. In its seventh annual "Worldwide
Infrastructure Security Report" released Feb. 7, Arbor Networks said 25
percent of organizations in the survey observed DDoS attacks that exceeded the
total bandwidth into their data center. About 13 percent of the survey
respondents reported attacks greater than 10G bps against their organizations,
and the single largest reported DDoS attack was 60G bps, according to the
Regardless of size, the
number of attacks is growing. Cloud-based DDoS mitigation provider Prolexic
observed and mitigated 45 percent more DDoS attacks in the fourth quarter of
2011, compared with the same period 2010, and more than double what was
observed during the third quarter of 2011, the company said in its quarterly "Attack
Report" released Feb. 7. Packet-per-second volume increased 18-fold and
there was seven times more attack traffic than in the fourth quarter of 2010,
according to the report. The average attack duration also dropped from last year,
from 43 hours to 34 hours.
DDoS attacks in 2012 will
likely be shorter in duration, but cause more damage because they will feature
bigger packet-per-second attack volume, predicted Paul Sop, Prolexic CTO.
"In the past, attackers had a rifle. In 2012, they have a machine gun with
a laser sight," Sop said.
Although most DDoS attacks
in the news are often launched by hacktivists with an agenda, there are other
players. Hacktivists made up the largest group, accounting for 22 percent of
the attacks, but other perpetrators included angry users, competitors and
criminals looking for ransom payments to stop attacking, according to the
Radware report. Financial services, government and online gaming sites were
targeted the most in 2011.
Even though organizations
often use their firewalls and intrusion-prevention systems to filter out
malicious packets to mitigate DDoS attacks, Radware ERT said firewalls are
"the weakest link." In 24 percent of the attacks, firewalls were the
first system to fail, according to the report. Organizations should be
investing in dedicated DDoS-mitigation technologies. Conveniently for Radware,
the company sells DDoS defense systems.