Attackers Turn to Small-Scale DDoS Attacks to Avoid Detection
Distributed Denial of Service (DDoS) attacks are different from many of the cyber threats that an organization commonly faces - many types of attacks are designed to either steal sensitive information or cause permanent damage. The physical impact of a DDoS attack, on the other hand, is temporary. Once the attack ceases, then business can continue as usual.
However, the business impacts of a successful DDoS attack can be much more significant. Even a diminished ability to receive and process customer requests on an organization’s website can cause lost sales and customer dissatisfaction.
Cybercriminals are aware of this, and this knowledge has driven the evolution of the DDoS attack. In the past, DDoS attacks were performed at a massive scale and designed to entirely disable an organization’s web presence. Many modern DDoS attacks are more subtle and designed to only degrade functionality. As a result, only more sophisticated DDoS mitigation are still able to identify and protect against these new types of attacks.
A Quick Introduction to DDoS
DDoS attacks are unusual among cyber threats. In most cases, being vulnerable to an attack requires there to be something wrong with the target’s environment. This could range from an unpatched software vulnerability to users that use easily guessable passwords or fall for phishing attacks. For DDoS, the only mistake needed by the victim is the failure to deploy an appropriate DDoS mitigation solution.
A DDoS attack is designed to take a system offline by destroying its ability to process legitimate requests. No system can receive and respond to an infinite number of requests, so it is always possible to exceed this threshold. Any efforts to raise this threshold (without fixing the underlying vulnerability) simply increase the amount of computational power that the attacker needs to pull off the attack.
With the rise of the Internet of Things (IoT) and cloud computing, many cybercriminals have access to computational power to spare. The number of IoT devices on the Internet is growing rapidly, and many of these devices have extremely poor security. For example, the Mirai botnet, which contained about 400,000 compromised devices at its peak, was created using malware that just tried logging in to IoT devices with a list of 61 sets of common user credentials. Combining easily compromised IoT devices with cheap cloud computing available for lease makes performing large-scale DDoS attacks easy and affordable for cybercriminals.
Tactics are Changing
In the past, Mirai-style massive DDoS attacks were the norm. This is the simplest type of DDoS attack since all the attacker has to do is overwhelm the number of connections that a computer or set of load-balanced servers can manage. The power of these attacks by massive IoT botnets can be increased by DDoS amplifiers, protocols that allow an attacker to send a minor request to a service (all while they spoof their IP address to that of their victim) and have a much larger response sent to their target to process.
The problem with this approach to DDoS attacks is that it is very easy to detect and block. These attacks typically consist of a large number of very large packets coming from a small number of attacking IP addresses (due to the use of DDoS amplification). Since the attack traffic is easy to differentiate from legitimate traffic, it is easy to filter out, making the attack ineffective and allowing legitimate business to continue.
The focus upon detecting and blocking large-scale DDoS attacks has led to a change in tactics. Many organizations will only be aware of an attack in progress if it is large enough to knock their services offline. However, complete destruction of an organization’s web presence isn’t necessary to have an impact. Any degradation of service can affect the customer experience, causing poor reviews and a loss of sales.
As a result, cybercriminals are increasingly using small-scale DDoS attacks to avoid detection. In Q3 2019, the number of DDoS attacks with traffic volumes under 5 Gbps grew by 303% compared to the same time the previous year. This growth in small-scale attacks was faster than the overall DDoS growth rate and pushed this type of attack 81% of all DDoS attacks.
Protecting Against the Modern DDoS Attack
In the past, cybercriminals took a brute-force approach to DDoS attacks. By sending a large number of massive packets to a target service, they were able to overwhelm its bandwidth and ability to process new requests. As a result, the service’s ability to function was degraded or destroyed. While this type of attack is effective, it is also easy to detect. The features of the attack traffic (large volume, massive packets, etc.) make it relatively easy for DDoS mitigation solutions to filter out malicious traffic from legitimate traffic.
This has driven DDoS attackers to adopt new tactics, including the use of smaller-scale DDoS attacks designed only to degrade functionality and attacks targeting the application layer rather than the network layer. This type of attack is more difficult to detect and defend against since many of the distinguishing features of the “traditional” DDoS attack are no longer present.
Defending against this new type of DDoS attack requires a more sophisticated approach to DDoS detection and mitigation. As attackers increasingly switch to these types of tactics, the leading DDoS mitigation solutions will pull ahead of competition due to their ability to adapt to and defend against evolving DDoS tactics.