A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
We’re talking about DDoS attacks today because they are so common now that most organizations in North America have experienced some form of DDoS attack in the last 12 months.
In fact, one third of all downtime incidents are attributed to DDoS attacks, according to the worldwide Digital Attack Map (operated by Google Ideas and Arbor Networks).
Cyber attackers spend a lot of effort to build armies of botnets - networks of infected computers - by distributing malicious software via websites, social media, emails, attachments and other devious ploys (see Phishing in the Office Pool, some staggering facts on phishing, your employees and corporate risk). Once infected, these botnet computers can be controlled remotely without their owners' knowledge, and used like an army to launch attacks against any targets. Some botnets are millions of computers strong.
Botnets generate massive floods of traffic to overwhelm a target. Some floods are more connection requests than the server can handle, while others send huge amounts of random data to tie up their target’s bandwidth.
Disturbingly, botnet networks are appearing for rent in new specialized marketplaces for anyone to buy time on. For as little as $150, anyone can hire a week-long DDoS attack directed at their own designated targets.
DDoS attacks are growing in number, size and sophistication.
149% The number of attack activity is growing dramatically: Akamai reported an 149% increase year last year.
50 Million There were an estimated 50 million attacks last year—that’s one or two attacks every second of every day.
125 Million MPPS The fastest flood attack of 2015 reached 125 million packets per second (MPPS), driving a DDoS attack of 65 Gbps)
180 Million MPPS by March 2016, many DDoS flood attacks were passing 180 MPPS at Cloudflare.
196 Gbps - The largest DDoS attack reported in mid 2015
400 Gbps - new record DDoS attack reported in Q4 2015
500 Gbps – record DDoS attack size in January 2016
602 Gbps - May 2016. This last weekend recorded a huge increase in attack severity at websites for BBS website and Donald Trump.
6.88 Gbps is the average DDoS attack size, with about 1/3 of all attacks passing 5 Gbps.
20 Minutes The Average DDoS attack length was 20 minutes in 2015.
97%Assaults against infrastructure, rather than applications now account for 97% of all DDoS activity.
75%of attacks are UDP floods.
In late 2014, Incapsula surveyed 250 businesses with at least 250 employees. They found that almost 50 percent had been hit by a DDoS attack in the past. Of those, 91 percent had been in the previous 12 months, and 70 percent had two or more attacks. Most (86%) lasted less than a day, while 68 percent lasted less than 13 hours.
While short, the average estimated cost of these attacks were $40,000 U.S. per hour, for an average cost close to $500,000 per attack. The same Incapsula survey (below) found actual costs of attacks were broken down in by the following categories.
You should also know that DDoS attacks are not limited to simple websites, like much of the news we read about. DDoS attacks are aimed to prevent your server or network resources from functioning, effectively blocking any access for employees or customers. Most DDoS attacks are usually one or more of three methods:
Network level attacks send massive amounts of “bots” traffic to overwhelm your connection capacity, blocking access to all connections to your network, website or online services. The worst of these attacks, like SYN floods and DNS amplification, will exceed 200 Gbps today. This is up from an average attack size of 10.1 Gbps in 2013.
Protocol attacks are designed to tie up server resources or intermediate communication equipment like firewalls and load balancers.
Application-level attacks attempt to overload resources on which an application is running. It crashes and your site goes down. They evade common security measures by mimicking legitimate user traffic.
Before choosing targets, an attacker will typically employ bots to probe a list of potential target sites for vulnerabilities they can exploit. When found, an appropriate attack methods are chosen and their game begins.
According to Imperva, over 80% of DDoS attacks see multiple methods used. Using smokescreen diversions, bypassing common protections and targeting multiple resources let them create the chaos they intend.
Realistically, most organizations will need some combination of on-premises attack mitigation capabilities and advanced external services. An honest assessment is always the first place to start. If you have good IT security staff in place, start with on-premises risk assessments first and evolve your strategy to include external services. If you don’t have IT staff or the required skill sets, start with a competent external service and look at adding managed CPE (customer premises equipment) mitigation capabilities in the future.
There is no known way to stop or prevent a directed DDoS attack. Accept that it’s not always possible to defend against a large, organized DDoS attack without some impact to your network. In the event of an attack, the following recommends should help you to lessen that impact.
Since some DDoS attacks are engaged to disguise additional intrusion attempts, we also strongly recommend the following additional actions:
Finally, we also recommend that you, or a network consultant you trust, literally walk through your network system and conduct the 6-Point Physical Network Checklist you will find in our blog post “Is Your Business Network A Hardened Vault Or A Cardboard Door?”