Cyberthreats and Trends Report Q2 2019
DDoS attackers are alive and well and hoping that you don’t notice them
On March 5, 2019, the US Department of Energy (DoE) reported a denial-of-service attack on several local grids. While the attack did not take those networks offline, it did cause an incident comparable to a large storm. Reporting on the attack was widely varied and ranged from concern to dismissal. In fact, the response to the attack is almost more interesting than the attack itself.
In looking at the coverage, it’s helpful to consider how the media has described DDoS attacks. One report defined them this way: “Distributed denial of service, or DDoS, involves delivering a heavy stream of information and Internet traffic, usually with the help of a network of hacked computers, to overwhelm the systems of a target.” This definition is technically correct, but it implies that DDoS attacks are always presented in the form of volumetric attacks, which is not the case. DDoS threats of 100 Gbps and higher do continue to happen – the Neustar Security Operations Center (SOC) sees them all the time. But the reality is that the majority of DDoS incursions are much smaller; in fact, while the top attack mitigated in Q2, 2019 was over 200 Gbps, the average attack that we mitigated this quarter was 7.5 Gbps. But troublingly, the median attack size – the middle of the size range – was just under 1 Gbps. There was a 158% increase in the number of attacks that were 5 Gbps and below when comparing Q2,19 to Q2,18, and attacks in this smaller size category made up 75% of the overall attacks mitigated in this quarter.
Why “don’t fix it if it’s not broken” doesn’t work for networks
When many people consider DDoS attacks, they are thinking of volumetric attacks that “break” access to your network. Today’s high volumes of smaller attacks may not break anything, and most attacks under 5 Gbps will not take your entire network offline. But that is not to say that these attacks do not do damage. In fact, it could be argued that these incursions are actually worse than attacks with a high rate of traffic which can be swiftly noticed and mitigated. A high rate of smaller incursions will instead degrade performance and eat up bandwidth which can erode competitive advantages and raise costs over time. Smaller attacks are also sometimes used to probe for vulnerabilities; the kind that can do real damage.
These threats are damaging precisely because they are small. If your DDoS protection is of the alert-and detect or on-demand variety, this type of smaller attack is usually below the threshold for mitigation. If there were only one such threat, your network could probably absorb the additional traffic and this situation wouldn’t be a huge cause for concern. But what the Neustar SOC sees is that these attacks are often running all the time. Your network may be suffering a death of a thousand paper cuts. And because the attacks go on all the time, they may become your “new normal.”
A baseline will improve your bottom line
The unfortunate fact is that while you may not believe that you are under constant low-level DDoS attack, there is really no way to know. That’s why Neustar suggests the enterprises consider always-on mitigation for their highest value targets. At worst you have established a baseline that will allow you to move forward confidently. At best you could boost your infrastructure’s performance without adding new devices, lower the overall cost of bandwidth, and raise your security profile at the same time. Another way to think about the value of having your network running at its best is to consider what would be required to add a Gbps of capacity.
But what about latency?
A common misconception is that always-on DDoS mitigation will add unacceptable latency. This could be true with some providers, but not with Neustar. Our SOC engineers will work with you to tune your services to meet your performance needs. The desire to decrease any latency is another reason why we have fourteen points of presence around the globe, allowing us to take traffic in at its origin. Further, it is likely that any latency would be overshadowed by the bogus traffic that is now being filtered out.
Find out more
Get more information about dangers of smaller DDoS threats in the Q2, 2019 Cyber Threats and Trends Report, available here.
In addition to timely information you’ll see why DDoS attacks will probably always be with us. You can also get concrete guidance from Rodney Joffe, Neustar Senior Vice President and Senior Technologist and Fellow, about how to determine which of your assets to protect.