One of the great challenges for cyber security teams is that the workload only ever increases. Not only are new threats constantly popping up but more established threats never fully disappear. They lurk in the background: mutating, re-emerging, and causing new headaches. For instance, while many in the industry are currently laser-focused on the dangers of ransomware, DDoS attacks are still an ever-present threat – with nine in 10 organisations experiencing attacks, at a cost of hundreds of thousands of dollars per hour of downtime. And since anyone can launch attacks and cripple networks for the price of a Netflix subscription, the economics are certainly attractive.
In the past year, DDoS attacks have mutated, and increasingly demand new approaches to mitigate. Rather than disrupting services for hours at a time, attacks are increasingly nasty, brutish and short. But why is this?
Digital transformation and the growth of DDoS attacks
Harder? Better? Faster? Stronger?
A study by Imperva Research Labs of DDoS attacks in the first half of 2021 shows that attacks are shrinking in length and growing in strength. While many might picture DDoS attacks as lasting for hours or days, the median duration of an attack in H1 2021 was just 6.1 minutes, while less than 1% of all attacks lasted for a day or more.
At the same time, the number of attacks – and their intensity – is growing. Imperva detected 5,591 DDoS attacks in the first half of 2021: creating a total of 261 billion packets, and with peak throughput of 400Gbps. Even the lowest attack recorded still hit a throughput of 263Gbps. Imperva also mitigated its largest DDoS attack to date in 2021 – a July attack with a throughput of 1.02 terabytes per second, and 155 million packets per second.
Attackers aren’t only focusing on short, sharp shocks: they’re also scheduling the most opportunistic days and times to attack. While a clear majority of DDoS attacks in 2020 happened on a Sunday – potentially to catch security teams off-guard and wreak havoc before the working week began – so far in 2021 attacks have been relatively evenly spaced across the week.
Searching for meaning
An important question is why are attackers’ behaviour changing? Attackers are always looking for the most effective and lucrative approach, and switching to shorter and more intense attacks to bypass mitigation efforts is a natural evolution. Regardless, organisations need to be prepared for what this new behaviour means.
First, these shorter attacks are a clear attempt to bypass the limitations of mitigation services that can take time to activate. Many DDoS mitigation providers offer response SLAs of 15 minutes to an hour; meaning any attack is over and done before there’s a chance to respond. By launching quick burst attacks that are over before mitigation can even start, attackers can keep barraging their targets; continually circling back and leaving networks ‘punch drunk’ and security professionals overwhelmed. They may also be part of the increasing trend towards ransom DDoS attacks, where attackers launch hit-and-run attacks as a warning shot to scare victims into paying up before a threatened larger assault.
Finally, savvy attackers that know the limitations of DDoS mitigation tools and already-stretched security teams can sometimes use these attacks as a feint to distract attention from the real threat. A short, stealthy DDoS attack against an organisation using outdated or unsophisticated DDoS mitigation tools can easily lurk beneath the organisation’s detection thresholds until it can overload a firewall or other intrusion prevention systems. In the struggle to get these back online, attackers have the perfect opportunity to install malware, steal data, access other parts of the network, or simply perfect their techniques.
New identities are creating opportunities for attackers across the enterprise
Many motives, one conclusion
Regardless of attackers’ exact motives, they are forcing a change in DDoS mitigation strategy. With attackers able to cause maximum disruption before mitigation kicks in, security teams are forced into a game of cat and mouse. The willingness of attackers to use a ‘rinse and repeat’ approach, making it harder for security teams to manage, means the current approach to DDoS isn’t sustainable.
Instead, organisations need to change the way they approach DDoS mitigation. A traditional on-premises or hybrid approach, relying on upstream connectivity to start mitigation, is no longer valid when that connectivity would be totally overwhelmed in the first, crucial seconds of an attack. Mitigation needs to be always-on, able to identify and respond to potential threats immediately.
In addition, DDoS mitigation cannot exist in a vacuum. As with everything else in security, everything is connected; a successful DDoS attack can very quickly turn into a threat to applications and data, and vice versa. Mitigation should form part of a holistic approach to edge, application and data security that prevents potential threats from slipping through the gaps.
Effective cyber security is a process of constant evolution, and DDoS mitigation is no different. Attackers may be changing their strategies, but by keeping pace – and making sure they have the reflexes to deal with hit-and-run attacks – organisations can still keep them at bay.