The distributed denial of service (DDoS) attack landscape is a shifting sea of motives and techniques—which is necessitating new approaches to detection and mitigation.

A rash of vendor reporting turns up some interesting trends to consider in the threat, including the rising impact of botnet-assisted attacks, and the fact that DDoS is no longer principally about denying service. It’s also being used now as a distraction to degrade security perimeters and allow other threats in, like malware.

Akamai Technologies’ Q1 2015 State of the Internet Security Report found that Q1 2015 set a record for the number of DDoS attacks observed across the company’s PLXrouted network —more than double the number recorded a year ago (up 116.5 percent) and a jump of more than 35 percent compared to last quarter.

Research from the Verisign iDefense Security Intelligence Services dovetails with that finding, noting that it too saw more DDoS attacks in the first quarter than anytime during 2014—though it logged just a 7 percent increase from the previous quarter. It chalks the spike up to hacktivism against financial services firms and various international governing organizations, including in the wake of the Charlie Hebdo terrorist attacks in Paris.

That said, among Verisign’s customers, the most-attacked industry was the IT services/cloud/SaaS sector, representing more than one-third of all mitigation activity. Meanwhile, both public sector and financial services customers increased; each grew from 15 percent in Q4 2014 to represent 18 percent of all Verisign mitigations in Q1 2015. For Akamai, the gaming sector was hit with more DDoS attacks than any other industry. Gaming has remained the most targeted industry since Q2 2014 for the company, and its share of DDoS attacks has remained steady when compared to the previous quarter.

Along with different targets, there are lots of different motivations for a DDoS attack.

“Since the early days of the Internet, malicious actors have used DDoS attacks as tools of protest, financial gain, retaliation and simple mischief,” the report noted. “Today’s DDoS attackers choose their targets and tactics for a number of reasons, many of which may not be clearly evident to the victims or the security professionals and law enforcement organizations who assist them.”

Botnets to the Fore

Interestingly, most DDoS attacks are launched from a collection of botnets that have enslaved millions of unsuspecting machines. According to Check Point’s 2015 Security Report, a full 83 percent of organizations studied were infected with bots in 2014, up from 73 percent in 2013, communicating and sharing data with their command and control servers every minute on average.   

Further, Kaspersky Lab found that 93.2 percent DDoS targets in Q1 were attacked by just one family of bots. In 6.2 percent cases, two families of bots simultaneously participated in an attack, and three or more participated in 0.6 percent cases. In such cases, either the cybercriminals simultaneously used several different bot families to perform the attack, or the clients used the services of several attackers at once.

The ready availability of DDoS botnets-for-hire is changing the landscape too. It’s now possible for literally anyone to launch an effective DDoS attack for very little money.

Kaspersky Labs data shows that the number of botnet-assisted attacks in the first quarter actually declined from the previous quarter; but this is likely due to seasonality.

“Last December saw a dramatic increase in the number of botnet-assisted DDoS attacks,” the firm said in its quarterly report. “The number of attacks declined steadily through January and February, but then began to rise again in March. The December peak could be linked to the Christmas/New Year holidays, when the cyber-criminals redoubled their efforts to disrupt the operation of websites and services popular with users.”

At the same time, the threat has grown to target more countries—76 in all. Notable increases were seen in Russia, South Korea, France and Canada.

“Historically, most attacks target Web resources located in the USA and China, as these two countries offer the cheapest prices for web hosting, and many web resources are located there,” explained Kaspersky Lab, in its quarterly DDoS threat report. “However, the 10 most frequently attacked targets also include victims from Europe and the APAC region.”

These stats demonstrate that botnet-assisted DDoS attacks are relevant for most diverse Web resources regardless of their geographic location.

Changing Attack Profiles

The most prolonged DDoS attack in Q1 2015 that Kaspersky saw lasted for 140 hours (or about six days); and the most frequently attacked web resource (a Russian-language website for a group of investment companies) survived 21 attacks within the three month period. There were other high-volume targets: A Vietnamese wedding services provider faced 16, and a hosting provider in the US saw 15 individual attacks. There were also eight mega-attacks in Q1, each exceeding 100Gbps and the largest peaking at 170Gbps.

“The menu of easy-to-use attack vectors found in the DDoS-for-hire market can make it easy to dismiss the effectiveness of attackers who use them,” Kaspersky’s report noted. “A year ago, peak attack traffic using these tactics from booter/stresser sites typically measured 10-20Gbps. Now, these attack sites have become more dangerous, capable of launching attacks in excess of 100Gbps. With new reflection attack methods being added continually, such as SSDP, the potential damage from these is expected to continue increasing over time.”

However, these high-bandwidth attacks are increasingly not the norm, despite dominating trends in 2014. In the first quarter of this year, the typical DDoS attack was less than 10Gbps in traffic volume, and was very persistent, enduring for more than 24 hours. In fact, there was a 42.8 percent increase in the average attack duration from 2014’s first quarter: 24.82 vs. 17.38 hours a year ago.

Verisign’s numbers show that half of all attacks that it mitigates came in around the 1Gbps mark, and 34 percent of attacks peaked between 1Gbps and 5Gbps. Only 10 percent of attacks peaked at more than 10Gbps.

It did see one attack that came in at 54Gbps. It targeted a cloud customer and persisted for approximately four hours.

According to Dave Larson, CTO at Corero Network Security, the lower-bandwidth attacks—which may not completely saturate an Internet connection—are becoming more popular because DDoS is being used more frequently as a masking agent or security perimeter degradation tool.

“There is an interesting point to note which is the increase in number of attacks with a corresponding drop in mean peak bandwidth,” he said via email. “The big attacks are still occurring – but [there is an] increase in lower level attacks of [this] type.”

In Q4 2014, 87 percent of attack attempts against Corero’s customers were less than 1Gbps in peak bandwidth utilization. While another 10 percent of attacks were between 1-5Gbps.

Partial link saturation attacks do not fully consume the Internet link, so the attack is designed to leave just enough bandwidth available for other sophisticated multi-vector attacks, with data exfiltration as the main objective, while the distracting DDoS attack consumes resources.

Along with this comes the phenomenon of attackers are implementing techniques to profile the nature of the target network’s security defenses, and utilizing subsequent techniques to implement second or third attacks designed to circumvent an organization’s layered protection strategy.

New Mitigation Techniques

With DDoS becoming more sophisticated, new approaches that monitor traffic on an “in-line” basis—rather than the edge-sampling techniques that make up the status quo detection method today—are becoming more necessary.

Larson, as evidence of this, pointed out that even with the 35 percent increase logged by Akamai in unique DDoS attacks from Q4-2014 to Q1-2015, the total number of around 440 attacks during the quarter in the entire Akamai/Prolexic customer base is far lower than the actual number of attacks mounted overall.

“Corero sees nearly this many attacks in just a single average customer (351), with several of our customers experiencing many more discrete DDoS attacks than the entire Akamai/Prolexic customer base,” he said. “This is not intended as a slight against Akamai – but it is an indication that they can only count what they can see. An out-of-band solution, while useful for massive scale events, is limited in the granularity it can achieve.”

To defend against both traditional and evolving DDoS attack methods, Corero organizations can pursue a number of measures. For instance, they can consider implementing technology to detect, analyze and respond to DDoS attacks by inspecting raw Internet traffic at line rate, which allows them to identify and block threats within the first few packets of a given attack.

Corero has adopted this approach, and recently announced its integration with Verisign OpenHybrid and support for Verisign’s open standards-based approach for hybrid DDoS solutions. The combination addresses sub-saturating DDoS attacks alongside high volume and complex application layer attacks that exceed the customer’s network and resource capacity.

Companies should also introduce a layered security strategy focusing on continuous visibility and security policy enforcement, to establish a proactive first line of defense capable of mitigating DDoS attacks, while maintaining full service connectivity, availability and delivery of legitimate traffic. And, whatever solution they choose, they should ensure complete application and network layer visibility into DDoS security events. This best practice will also enable forensic analysis of past threats and compliance reporting of security activity.

“Denial of service attacks have been a threat to service availability for more than a decade. However, more recently these attacks have become increasingly sophisticated and multi-vector in nature, overcoming traditional defense mechanisms or reactive countermeasures,” Larson said. “As our customers’ experiences indicate, the regularity of these attacks simply highlights that there is a growing need for protection that will properly defeat DDoS attacks at the network edge, and ensure the accessibility required for the Internet connected business, or the Internet providers themselves.”