Distributed denial of service (DDoS) attack types are evolving. Enterprises have always feared the brute force of high-bandwidth network-based attacks, but smaller, application-based DDoS attack types are proving to be more common and more dangerous.
While large DDoS attacks on the network can wreak havoc by consuming large amounts of bandwidth, smaller DDoS attacks are proving that bigger problems can come in small packages. These small DDoS attack types fly under the radar by imitating real user traffic with legitimate IP addresses rather than spoofed ones.
The 2011 Global Application and Network Security Report issued earlier this month by application delivery and security vendor Radware found that 76% of DDoS attacks were less than 1 Gbps in bandwidth in 2011, with only 9% of DDoS attacks over 10 Gbps. The report -- which analyzed 40 DDoS cases from various enterprises -- also noted that 56% of DDoS attack types were application-oriented rather than network-focused.
DDoS attack types: Smaller in size, bigger in sophistication
Overall DDoS attacks have been on the rise recently, said John Pescatore, vice president and research analyst at Gartner. The number of attacks focused on specific websites and targeted at the application-level can be attributed to a combination of both very simple and very sophisticated DDoS methods that have emerged, he said.
Smaller DDoS attack types pose a significant threat to the enterprise because they are becoming much more sophisticated than larger, brute-force DDoS attacks, said Ron Meyran, director of security products at Radware.
"In the past, large network attacks accounted for nearly 100% of attacks and the larger DDoS attacks to the network were flat and relatively easy to detect," Meyran said. "The smaller attacks are low in volume, and are creating an artificial user phenomenon to look like real traffic in order to exhaust server resources."
Small DDoS attacks are typically better at getting under the hood than a large-scale attack because network administrators rely on usually high traffic volume as a general indicator of a DDoS attack. Every transaction on the website from a small DDoS can look like legitimate traffic. "When an enterprise is suffering from a smaller DDoS attack, these volume rate-based thresholds will not be triggered," Meyran said.
Small DDoS attacks can often get past a firewall or intrusion prevention system (IPS), he said.
In addition to attacking the website, many application-based DDoS attacks are now targeted to overload your application infrastructure, which can prevent real users from accessing your site, Meyran said.
While large-scale DDoS attack types typically attack larger sites -- including Amazon and Walmart -- the smaller application-level attacks are the most detrimental to the enterprise or SMB, Meyran said. "When going into a smaller site, hackers have more success launching a dynamic application-based attack because they are so difficult to detect and defend against."
The attacks have become more dynamic over time because hackers are becoming more familiar with the vulnerabilities associated with security products, said Kevin Rice, global network architect at A.T. Kearney, a management consulting firm.
Rice, who uses F5 Networks' products for network security and Web application firewalls at A.T. Kearney, said that enterprises need to get more creative in how they protect against DDoS attacks. "The pervasive use of similar security products are helping hackers understand where the gaps are," he said.
DDoS attack types: Prevention and recovery
For future DDoS prevention, enterprises should collect information regarding the type, size and frequency of various attacks, and perform risk analysis in order to determine how resilient it is to both network-based and application-level attacks, according to the Radware report.
When an attack does strike, enterprises should capture as much detail as possible in order to recover quickly, Rice said. "We try to gather as much information as we can to send off to our firewall, IPS and F5 vendors, letting them know we have discovered a problem so we can work with them to find a solution," he said.
For network-based attacks, an enterprise should not only seek anti-DDoS protection from its service provider, but have anti-DDoS management tools on site, Meyran said. But lower-volume application-level attacks must be handled on-premise, he said.
Enterprises should use network behavioral analysis technology to better defend against small DDoS attack types. "This is the only technology that can differentiate between real and artificial users, and determine who should be blocked or granted access," he said.