Short-Duration DDoS Attacks Becoming More Popular
Corero's DDoS Trends and Analysis quarterly report finds that short bursts of attack traffic are an increasingly common form of DDoS attack.Distributed denial-of-service (DDoS) attacks are often associated with large bursts of attack traffic that last for hours at a time, but that's not the only type of DDoS attack. In fact, the majority of DDoS attacks in the fourth quarter of 2014 lasted 30 minutes or fewer, a new report from Corero Network Security found. The short-duration DDoS attacks represented 96 percent of attacks against Corero's customers in that quarter. While the DDoS attacks were short in duration, Corero reported in its DDoS Trends and Analysis quarterly report that its customers saw an average of 3.9 attacks per day. From an attack bandwidth perspective, 79 percent of the DDoS attacks Corero saw in the fourth quarter came in at 5G bps or less. "There is an existing preconception that DDoS is exclusively used to deny service to Web properties or online services," Dave Larson, CTO and vice president of product at Corero, told eWEEK. "Our data suggests expanding the understanding of the acronym to include degrading and evading the network security layer." As to why Corero's customers saw so many short-duration attacks in the fourth quarter, Larson said it is the reason for the attack that defines the timescale. In his view, the short-duration attacks are either masking some other kind of intrusion activity, which can occur within an even shorter timeframe—possibly a couple of seconds—or they are probe events to gauge the responsiveness of an intended target. The short-duration attack could also be an attempt to exploit service issues within the known response times of organizations to DDoS. Larson said that the typical cloud or scrubbing DDoS mitigation techniques take 20 to 30 minutes to detect and move routes.
Corero is not the first vendor to point out that not all DDoS attacks make use of large bandwidth volumes of traffic. Back in 2013, security vendor Arbor pointed out the dangers of low-bandwidth attacks such as the Apache Killer, Slowloris and R-U-Dead-Yet (RUDY). Larson said that his company's report does not make a distinction among the slow events.