There is No Peacetime: Volumetric Attacks Continue Unabated

NETSCOUT Arbor

peacetime
Gary Sockrider

DDoS attacks don’t observe holidays. They don’t take breathers. They don’t honor white flags. There are no truces, no prisoner swaps, no treaties or negotiations. Thousands of attacks are taking place at this very moment around the world with no sign of let-up. Peace is clearly not at hand.

NETSCOUT Arbor’s 13th annual Worldwide Infrastructure Security Report (WISR), released in January 2018, underscores the sheer relentlessness of DDoS attacks globally. A key trend we’ve observed over the past few years is the growth in size of volumetric attacks targeting cloud providers and data centers. Volumetric attacks seek to consume bandwidth either within the target network or between the target and the rest of the internet, causing congestion and preventing legitimate users from accessing networks, applications and services. While 87% of DDoS attacks are still smaller than 2 Gbps, large-scale volumetric attacks have been trending upward in size for years.

Smaller Attacks, Bigger Impact

In 2017, our Active Threat Level Analysis System (ATLAS) found a slight reversal of this trend, with the largest observed attack topping out at around 640 Gbps. This tracks with the largest attacks reported by WISR respondents. However, this dip in the very largest attacks has not diminished their intensity or ferocity. Volumetric attackers are well aware they can wreak all the havoc they want, whether at 600 or 800 Gbps. According to our ATLAS telemetry, the average duration of an attack was 46 minutes in 2017 – down from 55 minutes the previous year. However, attackers usually start/stop an attack sporadically over an extended period of time. As a result, the average duration of an attack is less than an hour but a typical attack campaign lasts much longer than that.

This new dynamic is reflected in our survey findings. Volumetric attacks may be shrinking in size at the very high end, but they are growing overall and most importantly, in impact. While data center operators observed fewer attacks in 2017 than in the previous year, 45% experienced attacks that exceeded the total bandwidth available. Among data center respondents that observed attacks, 91% experienced at least one incident that impaired service delivery, while 78% experienced between one and 20 attacks that affected service.

Growing Financial Consequences and Reputational Risk

This growing impact is further reflected in the financial consequences of such attacks, which increased dramatically in 2017. More than half of data center respondents reported a financial impact between $10,000 and $100,000, almost twice as many as the previous year. Much of that impact is in the form of lost business, as 48% of data center operators cited “customer churn” as one of the biggest consequences of DDoS attacks. Indeed, data center operators indicated 68% of DDoS attacks targeted managed service, cloud or co-location customers. It’s not surprising that they are extremely sensitive about availability of their services and the level of DDoS protection provided by data center operators.

This also helps explain why 25% of data center operators surveyed include some measure of DDoS mitigation within their base offering, while another 40% offer it as an add-on, and 15% say they plan to offer DDoS protection in the year ahead. Clearly, a DDoS mitigation strategy is becoming an essential differentiator for data center operators and a major factor in the customer’s choice of a managed data center service. 

Preparing for a 21st Century Arms Race

A couple of key conclusions emerge from these trends. One is that organizations are adopting DDoS mitigation measures more widely and using them more effectively, resulting in a decline in the overall number of observed attacks on data centers. On the other hand, this has compelled volumetric attackers to become craftier, launching smaller-scale attacks but targeting them to greater effect. This amounts to an arms race between attackers and defenders, with each side seeking to outsmart and outmaneuver the other side’s latest advances.

Our annual survey continues to find excessive reliance on conventional perimeter defenses – firewalls and intrusion detection and prevention systems (IDS/IPS) – for DDoS protection. Cybersecurity analysts agree that today’s multi-vector DDoS attacks call for a purpose-built multi-layer DDoS mitigation solution. They cite as best practice a hybrid solution combining an on-premise system that can mitigate the majority of attacks, and a cloud-based capability that is automatically triggered in the event of a large-scale volumetric attack. Protection can be further strengthened with a Global Threat Intelligence capability and Intelligent Warning Service backed by experts in recognizing and analyzing DDoS attacks.

The enemy is not going to surrender. Peace is a pipe dream. Potent, state-of-the-art defenses and eternal vigilance are the order of the day. It’s time to dig in.

To learn more about the increasingly complex DDoS threat landscape, download the full Worldwide Infrastructure Security Report.