Small DDoS Attacks Just as Damaging as Massive Ones: Radware

When it comes to distributed denial-of-service attacks, smaller attacks can cause just as much, if not more, damage than enormous ones, according to a recent study.

DDoS attackers are focusing less on bandwidth and shifting toward application layer attacks, Radware said in its "2011 Global Application and Network Security Report," released Feb. 6. While some organizations do incur massive DDoS attacks, most never experience a high-magnitude attack, Ron Meyran, director of security products, wrote on the company's blog.

The Radware Emergency Response Team examined 135 attacks that occurred in 2011 and found that 76 percent were less than 1G bps in bandwidth, of which only 32 percent were less than 10M bps, Radware said. Only 9 percent of attacks in 2011 were over 10G bps in bandwidth. Organizations focused on the traditional methods of expanding the network pipe to absorb malicious traffic needed to change their methods, Radware said.

"A 5M bps HTTP connection flood attack can also stop you dead in your tracks," the report said.

A little more than half, or 56 percent, of attacks targeted applications while 46 percent targeted the network, the report found. Application-based attacks targeted the Domain Name System, HTTP, HTTPS and Simple Mail Transfer Protocol.

While enormous DDoS attacks tend to flood the network, the majority of organizations hit by attacks that were less than 1G bps in size were targeted with a mix of network and application flood attacks, Meyran said. While it is much easier for an organization to detect and block a network flood attack, such as UDP, SYN or TCP floods, it's harder to defend against real machines with real IP addresses launching legitimate transactions on the application. "It's the users which are not real," Meyran said.

"When evaluating DoS attacks, it is important to understand both the size and type of attack," according to the report.

That's not to say attackers are abandoning large attacks. In its seventh annual "Worldwide Infrastructure Security Report" released Feb. 7, Arbor Networks said 25 percent of organizations in the survey observed DDoS attacks that exceeded the total bandwidth into their data center. About 13 percent of the survey respondents reported attacks greater than 10G bps against their organizations, and the single largest reported DDoS attack was 60G bps, according to the report.

Regardless of size, the number of attacks is growing. Cloud-based DDoS mitigation provider Prolexic observed and mitigated 45 percent more DDoS attacks in the fourth quarter of 2011, compared with the same period 2010, and more than double what was observed during the third quarter of 2011, the company said in its quarterly "Attack Report" released Feb. 7. Packet-per-second volume increased 18-fold and there was seven times more attack traffic than in the fourth quarter of 2010, according to the report. The average attack duration also dropped from last year, from 43 hours to 34 hours.

DDoS attacks in 2012 will likely be shorter in duration, but cause more damage because they will feature bigger packet-per-second attack volume, predicted Paul Sop, Prolexic CTO. "In the past, attackers had a rifle. In 2012, they have a machine gun with a laser sight," Sop said.

Although most DDoS attacks in the news are often launched by hacktivists with an agenda, there are other players. Hacktivists made up the largest group, accounting for 22 percent of the attacks, but other perpetrators included angry users, competitors and criminals looking for ransom payments to stop attacking, according to the Radware report. Financial services, government and online gaming sites were targeted the most in 2011.

Even though organizations often use their firewalls and intrusion-prevention systems to filter out malicious packets to mitigate DDoS attacks, Radware ERT said firewalls are "the weakest link." In 24 percent of the attacks, firewalls were the first system to fail, according to the report. Organizations should be investing in dedicated DDoS-mitigation technologies. Conveniently for Radware, the company sells DDoS defense systems.