Distributed denial-of-service (DDoS) attacks are often associated with large bursts of attack traffic that last for hours at a time, but that's not the only type of DDoS attack. In fact, the majority of DDoS attacks in the fourth quarter of 2014 lasted 30 minutes or fewer, a new report from Corero Network Security found.
The short-duration DDoS attacks represented 96 percent of attacks against Corero's customers in that quarter. While the DDoS attacks were short in duration, Corero reported in its DDoS Trends and Analysis quarterly report that its customers saw an average of 3.9 attacks per day. From an attack bandwidth perspective, 79 percent of the DDoS attacks Corero saw in the fourth quarter came in at 5G bps or less.
"There is an existing preconception that DDoS is exclusively used to deny service to Web properties or online services," Dave Larson, CTO and vice president of product at Corero, told eWEEK. "Our data suggests expanding the understanding of the acronym to include degrading and evading the network security layer."
As to why Corero's customers saw so many short-duration attacks in the fourth quarter, Larson said it is the reason for the attack that defines the timescale. In his view, the short-duration attacks are either masking some other kind of intrusion activity, which can occur within an even shorter timeframe—possibly a couple of seconds—or they are probe events to gauge the responsiveness of an intended target. The short-duration attack could also be an attempt to exploit service issues within the known response times of organizations to DDoS. Larson said that the typical cloud or scrubbing DDoS mitigation techniques take 20 to 30 minutes to detect and move routes.
Corero is not the first vendor to point out that not all DDoS attacks make use of large bandwidth volumes of traffic. Back in 2013, security vendor Arbor pointed out the dangers of low-bandwidth attacks such as the Apache Killer, Slowloris and R-U-Dead-Yet (RUDY). Larson said that his company's report does not make a distinction among the slow events.
"For now, we think it is important that organizations become aware of the fact that not all low-bandwidth DDoS is a connection occupation/starvation attempt like Slowloris," he said.
In recent years, other DDoS security vendors and the United States Computer Emergency Readiness Team (US-CERT) have pointed out the risks of amplification and reflection attacks that abuse misconfigured Domain Name System (DNS) and Network Time Protocol (NTP) servers. Larson said that Corero has not included amplification and reflection attack data statistics in the current report. That said, he noted that Corero's plan is to provide analysis of amplification and reflection attacks in the next quarterly report. It is clear that the amplification reflection class of attack is used along a wide spectrum of bandwidth instances, from fairly small sub-saturating events to large-scale, super-saturating multi–100G-bps attacks, he added.
In Larson's view, Corero's visibility into DDoS is different from other security vendors, due to the deployment and positioning of the DDoS mitigation appliance in the customer network. He explained that Corero's SmartWall Threat Defense System (TDS) is deployed at the very edge of the customer network or at the Internet peering points as a first line of defense. From that location, the SmartWall TDS is able to inspect all traffic arriving from the Internet and mitigate attacks in real time before the attacks impact the customer environment.
Looking at the rest of 2015, Larson noted that as Corero continues to monitor and protect against DDoS attacks that are targeted toward its customers, the expectation is that attacks will increase in frequency and continue to evolve to circumvent traditional security measures.
"DDoS attackers are smart, and they tend to target the lowest hanging fruit, and position their attack attempts to cause the most damage," Larson said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.