Distributed denial-of-service (DDoS) attacks are growing in both size and frequency, challenging organizations to keep up, according to a new report from Arbor Networks.
According the firm’s 10th Annual Worldwide Infrastructure Security Report, organizations of all types and sizes faced disruptive DDoS threats to their business. The report included responses from 287 organizations, and covered the period from November 2013 to November 2014.
According to the findings, the most frequently observed threats on enterprise networks were DDoS attacks, accidental data loss and botted or otherwise compromised hosts, all of which garnered around a third of respondents. Nearly half of all enterprises in the report were hit with DDoS attacks during the survey period, with almost 40 percent of those seeing their Internet connectivity saturated. In addition, more than one-third of these organizations had firewall or IPS devices experience a failure or contribute to an outage during a DDoS attack.
IPS devices and firewalls were also hit at other types of organizations as well. For example, among data center operators, nearly half reported their firewalls experienced or contributed towards an outage due to DDoS – up from 42 percent last year. Load balancers also experienced issues, with more than a third of respondents seeing these fail as well due to DDoS.
“It’s difficult to say exactly how often the firewalls and IPS are the targets but we do know that they often fail,” said Gary Sockrider, solutions architect for the Americas for Arbor Networks. “According to our survey this year 35 percent of enterprise respondents indicated their firewall or IPS failed or contributed to an outage due to an attack. This is another example of attack technique evolution. In this case, attacks are crafted to exhaust state tables. Since these security appliances typically maintain state tables for traffic passing through them they can become the victim before the attack even reaches the target.”
The impact of DDoS on businesses can be significant, with 49 percent citing operational expenses and 37 percent reputation damage as the top business impacts among enterprises. Overall, the number of attacks appears to have gone up. In 2013, just over one quarter of respondents said they had seen more than 21 attacks per month. In 2014, that percentage stood at 38 percent. The largest reported attacks ranged from 400 Gbps through 300Gbps, 200Gbps and 170 Gbps.
Ninety percent of respondents admitted seeing application-layer attacks, and two-thirds of attacks are volumetric. Forty-two percent of respondents experienced multi-vector attacks that combined volumetric, application-layer and state exhaustion techniques within a single sustained attack.
“Volumetric attacks are the oldest and original type of denial of service attack,” Sockrider said. “Simply put, attackers send extremely high volumes of packets at an incredibly fast rate to completely overwhelm the Internet infrastructure connecting the victim to the global network. Think of it like a road leading out of town during an emergency evacuation. So many cars get on the road at once that traffic comes completely to a halt.”
“The reason to combine different attack vectors is simply a matter of stealth and complexity,” he explained. “Volumetric packet floods are brute force attacks like a sledge hammer. Application layer attacks are low and slow stealth attacks that are harder to detect. State exhaustion attacks can affect a broad range of infrastructure so they’re the Swiss army knife. By combining these, the attack has a much better chance of success for longer periods because a defender has to find and mitigate all of them to restore availability.”