When it comes to distributed denial-of-service (DDoS), it’s easy to focus on the goliath attacks. Overpowering major systems with data requires huge amounts of traffic, that traffic can create knock-on effects for the broader internet which impact individual users – and these big numbers ultimately attract big headlines.
Over the last few years, innovative attackers have developed methods which produce some truly staggering volumes of traffic. In an amplified DDoS attack, a hacker will send requests to a server while pretending to be the target of the attack. The server then sends its reply to the victim with significantly more traffic than the attacker sent in the first place.
This has the effect of both obscuring the source of the attack and significantly increasing the scale of the attack. In the case of one such method, Memcached, this amplification can boost the volume of data in the attack by up to 51,000 times; this is how one of the largest DDoS attacks yet verified, against Github in early 2018, reached traffic levels of 1.35Tbps. A similar attack in 2016 against DNS provider Dyn knocked out large parts of the internet for many users, including Amazon, Netflix, and Reddit.
The advent of under-the-radar DDoS attacks
When considering DDoS mitigation, then, we might expect cybersecurity professionals’ primary question to be whether or not their system can withstand the brute force of a major DDoS attack. Indeed, a number of vendors advertise how their total DDoS mitigation capacity dwarfs even the largest possible attacks – and this capability is an important component of an effective defence.
However, to view the threat posed by a DDoS attack as being based purely on its size risks overlooking the smaller, more targeted incursions – in fact, we are increasingly seeing DDoS as a matter of much more than just goliath brute force. As the cyberthreat landscape evolves, DDoS is turning into a more surgical tool which, when used alongside other methods, can lead to more damage more lasting than taking a website offline.
Indeed, the latest research from Neustar’s security operations centre shows that while large attacks of 100Gbps and above have fallen by 64 per cent over the last year, attacks below that size have risen. Compared to the same time last year, there was a startling 158 per cent increase in the smallest attacks of 5Gbps and below and a 37.5 per cent decrease in average attack size across the board.
This is not due to lack of capability. In reality, staging a major assault has never been less challenging. Where once an attacker may have needed to spend time and resources building out a botnet, hoping to scale it up to the necessary size without being detected, today a botnet can be rented for as little as £20 a day.
Stealth is the new strength
Performing a small-scale attack is a conscious, tactical choice designed to fly under the radar of traditional mitigation strategies.
For many of the most damaging DDoS attacks, the traffic flow involved is so small that not only does the server stay online, but the defensive tools aren’t even triggered. This stealth approach broadens the scope for more specific protocol attacks which target elements of the system that sit between the public internet and the target network. Sometimes these are designed to add undue load to the router’s CPU; sometimes they target load balancers to limit site usability; sometimes they fill up firewall state tables, leaving the system more vulnerable.
In this way, smaller, more precise DDoS methods can create opportunities for attackers to fulfil their actual goal, whether that is data theft, system intrusion, or business disruption. In some cases, degrading website performance over the long term, rather than disabling the website entirely and triggering a response to the threat, constitutes success from the attacker’s perspective. And given that, according to recent data from Neustar International Security Council members, just 28 per cent of organisations consider themselves to be ‘very likely’ to spot an attack of this size, the appeal of sub-5Mbps attacks is clear.
Consider the story of David and Goliath. It’s typically taken to be the archetypal underdog story, in which a smaller, weaker challenger overcomes overwhelming odds to come out on top. Of course, David’s great advantage in the battle is his sling; precise, rapid technology against which Goliath’s suit of armour affords no protection. In just the same way, the trend in the cyberthreat landscape is not towards meeting the enormous scale of DDoS mitigation technologies head-on with an equal and opposite force, but towards finding smarter, subtler routes to victory. Businesses, of course, will need to evolve their defensive methodologies to match, assessing how prepared they are to guard against attacks of all sizes, both large and small.
Goliath is impressive and intimidating, but you’ll always see him coming. It’s the David denial-of-service attacks that you really need to watch out for.
Rodney Joffe, senior vice president, senior technologist, and fellow, Neustar