Smaller DDoS attacks can be deadlier than big ones

Contrary to conventional thinking that large bandwidth cyber attacks wreak the most damage on enterprises, security experts at Radware instead found that bigger problems usually come in small packages.

The findings of the company’s “2011 Global Application and Network Security Report” bust several myths about the way the industry views the impact of distributed denial of service (DDoS) attacks.

In particular, it challenges the belief that while a cyber attack may feel catastrophic at the time, most organization may never experience an intense attack. Also, a smaller, less intensive attack (76 percent of the attacks surveyed were under 1 Gbps, 32 percent less than 10Mbps) can cause more damage than DDoS attacks that gobble ten times the amount of bandwidth. Only nine percent of attacks in 2011 were over 10Gbps.

Radware’s Emergency Response Team (ERT) found that a much smaller HTTP flood on the application level may do more damage than a larger UDP flood on the network. When evaluating DoS attacks it is important to understand both the size and type of attack.

Other security myths that fall by the wayside in the security report include:

Firewalls or IPS alone can stop DDoS attacks – Despite being designed to provide network security, firewalls and intrusion prevention systems (IPS) are impacted by DDoS attacks. Often the firewall is the weakest link. The report shows that in 32 percent of DDoS attacks, the firewall or IPS became the bottleneck. To stop DDoS attacks you need dedicated hardware solutions, not IPS and firewall technologies.

Content Delivery Network (CDN) providers protect a business against DDOS attacks – The CDN occasionally can handle the less sophisticated, large-volume attacks by simply absorbing them (while the target customer will pay for that bandwidth, of course, as it was recognized as legitimate traffic). However, as seen by the recent cyber attacks that tried to bring down the Israeli financial system and national airline, the CDN was easily bypassed by changing the page request in every Web transaction. These random request techniques force CDNs to “raise the curtain” and forward all the attacks directly to the customer premise, in essence making the CDN act as a proxy unloading the attack traffic directly at the target servers.

The core DoS attack mitigation strategy is to defend and absorb – Businesses can and should have the ability to be proactive in their mitigation steps to stop malicious traffic or Website degradation with a strategy for going on the offense. This changes the rules in which the attacker always has the edge, and instead, levels the playing field. This can be done by identifying the attack tool used as the vehicle to carry the attack campaign and expose and exploit its inherent weaknesses to neutralize the attack tool in a “passive”, non-intrusive way.

Other report findings:

  • 56% of cyber attacks were targeted at applications; 46 % at the network.
  • Financial Services (28%), Government and eGaming (25% each) sites were targeted most.
  • In half of the attacks, companies did not know why they were targets. “Hacktivists” with a political or social agenda accounted for 22% of the attacks; 12% came from angry users; 7% from the competition and 4% wanted a ransom in exchange for freeing the website.
  • DoS attacks became much more organized, professional and complex in 2011 with attackers using as many as five different attack vectors in a single attack campaign. No one point security tool could effectively block this sophisticated multi-level type of attacks. What is needed is a cocktail of techniques that together provide full protection.

Radware’s ERT recommends these ways businesses can protect against DoS and DDoS attacks:

  • Collect information about attacks such as type of attacks, size and frequency. Use the correct measures for the attack type. For example, the proper measurement for UDP floods is in bandwidth and PPS, while the measurement scale for HTTP floods is in transactions per second, concurrent connections, and new connections per second. The UDP flood may seem larger and more dangerous, but the HTTP connection-based attack can cause more damage with much less traffic than the UDP attack.
  • Perform risk analysis at the business level to determine the budget you should allocate to improve your business resilience against DDoS attacks.
  • For bandwidth saturation attacks, make sure your service provider can mitigate volumetric attacks that may saturate your bandwidth.
  • For application attacks, deploy anti-DoS and network behavioral technologies on site.
  • Have a consolidated or “context aware” view into enterprise security with a security event information management (SEIM) system. An SEIM system can build a centralized architecture that simplifies such tasks as monitoring the millions of messages and log records generated by security edge devices. Also, an SEIM is essential when prosecuting a perpetrator.
  • Education and internal security policies are important defense tools, too. Regularly refresh technical skills and practical experience within the security group; but also help employees be aware of how hackers can exploit opportunities throughout the enterprise, especially in the age of “bring your own device”.

The report, prepared by Radware’s Emergency Response Team (ERT), is the product of a security survey sent to a wide variety of organizations, as well as an analysis of of 40 select cases that were handled by the ERT that focus on DoS and DDoS attacks and their mitigation.

As literal “first responders” to cyber attacks, Radware’s ERT members gained their extensive experience by successfully dealing with some of the industry’s most notable hacking episodes, providing the knowledge and expertise to mitigate the kind of attack a business’s security team may never have handled.

Don't miss