Short, low-volume DDoS attacks causing only brief service disruptions may be the greatest security threat for businesses, because they can act as a “Trojan Horse” for destructive malware and other attacks, according to research released this week by Corero.
Sub-saturating DDoS attacks can knock firewalls or intrusion prevention systems (IPS) offline, and distract IT security staff while attackers install malware to steal data, Corero’s latest DDoS Trends Report says.
Seventy-one percent of attacks observed by Corero during the quarter lasted less than 10 minutes, and almost 80 percent were less than 1 Gbps.
“Rather than showing their capabilities in full view, through large, volumetric DDoS attacks that cripple a website, using short attacks allows bad actors to test for vulnerabilities within a network and monitor the success of new methods without being detected. Most cloud-based scrubbing solutions will not detect DDoS attacks of less than 10 minutes in duration, so the damage is done before the attack can even be reported,” Corero Network Security CEO Ashley Stephenson said in a statement. “As a result, the raft of sub-saturating attacks observed at the beginning of this year could represent a testing phase, as hackers experiment with new techniques before deploying them at an industrial scale.”
Stephenson also emphasized the importance of defending against data theft for companies operating in Europe or with European resident data, as the EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018, with potentially severe penalties for data loss.
Companies are now facing an average of four attacks per day, after a nine percent increase in Q1 2017 from Q4 2016, according to the report. The majority of attacks continue to be low in volume and sort in duration, however Corero observed a 55 percent increase in attacks larger than 10 Gbps over the previous quarter.
The report also describes a zero-day DDoS attack vector discovered by Corero in October 2016, utilizing the Connectionless Lightweight Directory Access Protocol (CLDAP) in an amplification technique. The protocol is widely used for accessing username and password information from databases, and the report says an incorrect Active Directory configuration could be leveraged to perform DDoS attacks.
Verisign’s Q1 DDoS report also identified increasing complexity among DDoS attacks as a challenge to mitigation. Corero expanded a partnership with Juniper Networks to combine the companies’ technologies, and expanded its DDoS mitigation offerings in February.