The attack landscape has shifted over the last 10 years, with attackers increasingly going after applications, according to Arbor Networks’ 10th Annual Worldwide Infrastructure Security Report (WISR). The new study is based on responses from 287 service providers, including hosting, mobile, enterprise and global network operators.
“Looking back to our first report 10 years ago, 90 percent of respondents saw volumetric DDoS [distributed denial-of-service] attacks on their networks,” Gary Sockrider, solutions architect at Arbor Networks, told eWEEK. “This year, 90 percent saw application-layer DDoS attacks, which weren’t even being discussed back then.”
DDoS attacks have also grown in terms of the attack bandwidth volume in recent years. The Arbor report found that the largest DDoS attack in 2014 reached a peak of 400G bps. In contrast, the largest attack in 2004 was only 8G bps. Large-bandwidth attacks are also becoming more common, with Sockrider noting that 159 DDoS events in 2014 exceeded 100G bps.
Organizations typically leverage firewall technology to help mitigate security risks; however, the Arbor report found that one-third of organizations had firewalls that failed due to a DDoS incident. Unfortunately, many organizations are still using firewalls and intrusion prevention systems (IPSes) to defend against DDoS attacks, Sockrider said.
“Since these devices typically maintain state tables for the traffic passing through them, they become the victim of state exhaustion DDoS attacks,” he said. “One positive trend we saw this year was the increased use of Intelligent DDoS Mitigation Systems to protect the firewalls and other infrastructure from these kinds of attacks.”
Sockrider explained that volumetric DDoS attacks typically consist of simple packet floods where the goal is simply to use up all available bandwidth so nothing else gets through. In contrast, state exhaustion attacks do not need to exhaust bandwidth, but rather are designed to fill up state tables on the target.
“These attacks attempt to consume the connection state tables which are present in many infrastructure components such as load balancers, firewalls and the application servers themselves,” Sockrider said. “Even high-capacity devices capable of maintaining state on millions of connections can be taken down by these attacks.”
Technology isn’t the only challenge, as service providers have also been grappling with staffing issues. Fifty-nine percent of the study’s respondents indicated that they have experienced difficulty in hiring and retaining skilled IT security professionals.
Regarding trends to watch for 2015, Sockrider said to expect the trends toward larger attacks as well as more frequent and increasing number of attacks to continue. What seems to vary most, he added, is the type of attack vectors used as attackers are getting more sophisticated in combining multiple techniques.
“One thing has become clear: DDoS has become a standard component of larger campaigns, often serving as a distraction or smoke screen for other malicious activity,” Sockrider said. “When you are the victim of a DDoS attack in the future, it may just be the beginning of your problems.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.