Distributed denial of service (DDoS) attacks are evolving at a rapid pace with no appearance of slowing down.
Incapsula’s research team has been tracking trends in the DDoS landscape and has seen a rapid surge in attacks this year.
Fundamentally, there are two types of attacks. The first takes place at the application layer (Layer 7) and the second at the network layer (Layer 3 and 4). At the network layer, attacks bring down a website or SaaS application by overwhelming network and server resources, causing downtime and blocking responses to legitimate traffic. Application-layer attacks, of course, target applications, making them especially worrisome for SaaS application providers. These attacks mimic legitimate user traffic to bypass barebone anti-DDoS solutions and crash the web server.
Over the past year, our research team has witnessed a rapid increase in the volume of network DDoS attacks. This trend is continuing in 2014, with almost one in every three attacks exceeding 20 Gbps. (which was the peak attack volume just one year ago). Some of today’s network attacks even reach beyond 100 and 200 Gbps.
The main reason for the increase in size this year is new DDoS tactics using methods like Large SYN floods and DNS Amplification to generate very high traffic volumes. A large number of recent high profile attacks have brought a relatively new technique into the spotlight: NTP Amplification. Last month, for the first time, NTP Amplification actually exceeded large SYN floods as the most prevalent network DDoS attack vector.
However, in terms of overall network DDoS trends, large SYN flood attacks still predominate, making up 51.5 percent of all attacks above five Gbps.
DDoS Attacks Go Multi-Vector
DDoS isn’t a singular threat. Over 80 percent of DDoS attacks employ multiple methods to create smokescreens, bypass protective solutions, and target multiple resources. These multi-vector tactics wreak havoc with IT organizations and confound even the most vigilant human operators.
In recent months, the most common multi-vector attack was a combination of two types of SYN flood attacks – one using regular SYN packets and another using Large SYN (above 250 bytes) packets. This combination is used to target server (e.g., CPU) and network resources. Overall, these SYN combo attacks account for approximately 75 percent of all DDoS attacks peaking above 20 Gbps.
A Smarter Breed of Bots
Origin of Application Layer Attacks
Over the research period, our team recorded an average of more than 12 million unique DDoS bot sessions – a 240 percent increase over the same period in 2013.
But where is this sea of botnets coming from?
Unlike network layer attacks, application layer attacks cannot use spoofed IP addresses to hide their source. They resort to hijacking hosting environments and Internet-connected devices. Using these IP records, we tracked the origin of DDoS activity to the 10 top source countries, with India, China, and Iran accounting for 25 percent of all malicious traffic.
- India (9.59 percent)
- China (9.2 percent)
- Iran (7.99 percent)
- Indonesia (4.29 percent)
- U.S. (4.26 percent)
- Thailand (4.20 percent)
- Turkey (3.89 percent)
- Russia (3.45 percent)
- Vietnam (2.88 percent)
- Peru (2.62 percent)
These are the locations of the attackers’ resources (compromised PCs and servers), not the location of the attackers themselves, who operate these resources remotely. A higher concentration of compromised resources is found where a) computers are more common and b) security is lacking.
Adaptive Mitigation: Security Brain and Network Brawn
As DDoS attackers evolve and hone their skills, so must defenders. Solutions are going to need to look at behavioral anomalies and use other non-challenge based techniques to detect the fake browsers. One such technique, for example, assigns a contextual risk score to the visitor’s identity and behavior patterns.
Botnets are being used as shared DDoS resources – i.e., a rentable infrastructure that changes hands among members of the hacker community. On average, almost 40 percent of attacking IPs (compromised devices) are used to attack at least 50 separate targets a month. Since the same botnets are being used time and again to attack multiple targets, reputation-based security techniques can also be quite effective in anticipating the intentions of a visitor and proactively blocking traffic from a “suspicious” IP address.
2013 created a new standard of DDoS attacks. However, if the first part of 2014 is any indication, the surge in new attack methods and larger-than-ever attack volumes are a sign of worse to come. Organizations need to be prepared for an ever-growing number and increasing sophistication of DDoS attacks in the coming year.
Gur Shatz is cofounder and CEO of Incapsula and a veteran of the security industry with over 14 years of product leadership and engineering experience. Before founding Incapsula, he held several key positions at Imperva, which he joined at its inception. Before Imperva, Gur held several development and project management positions in the industry and also served as a captain in the Intelligence Corps of the Israeli Air Force.