Handling Stealthy DDoS Attacks

user typing on black computer keyboard

From simple beginnings in the late nineties, DDoS attacks became bigger and badder throughout the early 2000s. Now, a more sophisticated kind of DDoS campaign is putting victims at even more risk. Stealthy, subsaturating attacks often signal more damaging network intrusions that can be difficult to spot. 

In their early days, DDoS attacks were mostly volumetric. They focused on flooding targeted systems with as much traffic as possible to disrupt operations. Whereas volumetric attacks take a sledgehammer approach, subsaturating attacks are the surgical tools of the DDoS world. These subtler DDoS events send smaller amounts of traffic to a target that leave the majority of network services up and running. And this more sophisticated type of DDoS threat is becoming increasingly common.

For instance, while advanced threat protection solutions provider Arbor Networks has identified a rise in the average size of DDoS attacks in its 12th Worldwide Infrastructure Security Report, and an increase in the largest sizes of attack, the majority of DDoS attacks are still relatively small. The report found that 70 percent of all DDoS events send less than 500Mbps of traffic to their victims.

Luckily, measures exist to mitigate this brand of network assault.

Inside Subsaturating Attacks

Subsaturating attacks are useful ways for online villains to probe a network and find a weakness or vulnerability. They can flood a firewall or IPS device with just enough traffic to invalidate its state table—the internal, real-time list of connections that it keeps to track open connections to internal resources. This lets the attacker explore and manipulate the targeted network without rendering the victim’s internet connection inaccessible.

These attacks typically only occur for small amounts of time, lasting ten minutes or less. Their short duration makes it difficult for network administrators to react if they realize what’s going on, if at all. 84 percent of DDoS attacks last less than half an hour.

If the attack is large enough for an administrator to spot but small enough to allow ongoing network access, then it can also serve as a distraction mechanism. While admins rush to stop the DDoS, the attacker can stealthily gain access via another weakness already identified in reconnaissance. This attack may be more difficult to spot in logs flooded with DDoS traffic.

Subsaturating attacks have already led to significant losses for victims. The #OPSONY DDoS hit on Sony’s PlayStation network in 2011 masked an underlying data exfiltration. In 2015, UK telco TalkTalk lost the personal details of 2.4m customers to attackers who reportedly used a DDoS attack as a distraction.

Short, low-volume attacks can make the job even more difficult for administrators by using advanced protocol manipulation to help confuse and distract.

Whereas old-school attacks used lower-layer network protocol attacks like SYN and ICMP, more complex, modern attacks manipulate application-layer protocols like HTTP and HTTPS to directly tie up applications serving data over the web.

Often, attackers will target multiple services at once, possibly at different layers of the network stack. Two thirds of respondents in Arbor’s report suffered multi-vector attacks.

Whereas traditional DDoS attacks threaten operations, subsaturating attacks pose a clear and present security risk. Their different attack envelopes mean that customers should react differently to each. To do this, they must learn how to distinguish between them.

Solutions for Distinguishing DDoS Attacks

Network administrator working in data center room

Legacy DDoS protection solutions designed to spot volumetric attacks may not catch subsaturating DDoS incidents. Cloud-based anti-DDoS services are useful for detecting and mitigating extended volumetric attacks, but they may be ill-designed to spot these smaller hits on the network. Companies must complement them with other solutions.

In this new, evolved era of DDoS, network visibility becomes increasingly important. On-premise network analysis and DDoS mitigation tools specifically designed with these attacks in mind can detect both volumetric and subsaturating attacks, alerting staff to their presence.

By increasing network visibility, companies can even turn these attacks to their advantage. An attacker probing a network with a subsaturating DDoS event may be planning something more intrusive later. If an administrator can spot these forays early enough, they could be able to take preventative action.

In this new, evolved era of advanced DDoS attacks, then, to be forewarned is to be forearmed.

~Written by Danny Bradbury. Danny is a technology journalist with over 20 years of experience writing about security, software development, and networking. He covers a mixture of business and consumer tech.