DDoS ‘Trojan Horse’ distracting network operators from bigger threats


The greatest DDoS risk for organisations is the barrage of short, low volume attacks that mask more serious network intrusions, according to the latest DDoS trends and analysis report from Corero Network Security, a provider of real-time DDoS defence solutions.

According to the research, which highlighted DDoS attack attempts against its customers, short, frequent, low-volume DDoS attacks continue to dominate. Despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98%) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume. In addition, almost three quarters (71%) of the attacks mitigated by Corero lasted 10 minutes or less.

>See also: Criminal benefits: profit margin of a DDoS attack can reach 95%

Due to their small size, these sub-saturating attacks tend to go undetected by IT security staff and many DDoS protection systems. However, they are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity.

Ashley Stephenson, CEO at Corero Network Security, explained: “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.”

Sub saturating DDoS attacks: the calm before the storm

In total, Corero customers experienced an average of 124 DDoS attack attempts per month, equivalent to 4.1 attacks per day during Q1 of 2017. This represents a 9% increase in attacks over Q4 2016.

“Rather than showing their capabilities in full view, through large, volumetric DDoS attacks that cripple a website, using short attacks allows bad actors to test for vulnerabilities within a network and monitor the success of new methods without being detected,” continued Stephenson. “Most cloud-based scrubbing solutions will not detect DDoS attacks of less than 10 minutes in duration, so the damage is done before the attack can even be reported.”

>See also: DDoS attacks: why size isn’t everything

“As a result, the raft of sub-saturating attacks observed at the beginning of this year could represent a testing phase, as hackers experiment with new techniques before deploying them at an industrial scale.”

While low volume attacks remain the norm, Corero recorded a significant (55%) increase in large DDoS attacks of more than 10 Gbps per second, in Q1 of 2017, compared to the previous quarter.

In addition, while the majority of attacks recorded lasted less than 10 minutes, the data also revealed a slight increase in attacks lasting 20 minutes or longer, with these attacks now accounting for nearly a quarter (22%) of all the attacks recorded.

Increased risks for EU General Data Protection Regulation (GDPR)

From May 2018, any organisation that operates in Europe or has European resident data could be subject to severe penalties of up to 4% of global turnover if they fail to protect the data of EU residents.

>See also: Major sites shut down by DDoS attack after taking over smart devices

Stephenson concluded that “With GDPR on the horizon, the risk of data theft resulting from sub-saturating DDoS attacks is extremely serious, and claiming to be ignorant of malicious activity on your network will not substitute a defence. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain a comprehensive visibility across their networks to detect and block any potential DDoS incursions as they arise.”


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

DDoS Attack