DDoS attacks: Getting smaller, sneakier - and more dangerous

Long considered something of a blunt instrument, DDoS are becoming smaller but more sophisticated.
Written by Steve Ranger, Global News Director

High-profile Distributed Denial of Service (DDoS) attacks continue to get bigger -- but the smaller, more subtle attacks could be the ones that businesses need to worry about.

DDoS attacks aim to overwhelm systems by overloading them with inbound traffic or requests, like stuffing a physical letter box with junk mail until legitimate messages can't be delivered. That means DDoS attacks are usually associated with huge amounts of traffic: last year GitHub was hit with a massive DDoS attack that peaked at 1.35Tbps.

According to tech security company Neustar, the number of DDoS attacks and their scale continues to increase. The largest attack it saw against customers in the second quarter of this year was 237Gbps in volume, compared to 131Gbps last year. The longest DDoS attack it saw lasted 43 hours.

But Neustar also said it saw a significant increase -- more than a doubling -- in the number of attacks of 5Gbps or under. These accounted for 75% of all attacks mitigated by the company. These smaller and more carefully targeted attacks can aim to disable specific parts of a company's infrastructure without the victim noticing.

DDoS attacks can now be directed at specific services, gateways and applications, and as the target becomes smaller, less traffic is required to bring it down, the company warned.

"Such lower volume incursions may enable the perpetrator to get in and get out unnoticed, or allow the attack to continue for quite a long time undetected," Neustar said. These small attacks pose a significant threat, as they fall below the typical threshold that enterprises might detect.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Nearly three-quarters of Neustar's customer panel said they would be unlikely to spot such attacks. "An attacker could therefore affect targets ranging from infrastructure to individual servers with relative impunity," the company said.

"A downed server tends to be noticed quickly, so in many cases, the attacker's strategy is to do the most damage possible by utilizing low-intensity incursions that degrade performance over time. Over the last couple of years, we've found that the most dangerous attacks are those that consistently fall below the level at which DDoS defenses would be automatically triggered," the company added.

Neustar advised companies to create a risk register that considers which business processes would create the most problems if they were unavailable or damaged, and then work out from there. "A risk register can clarify the difference between what is vulnerable and what is valuable -- and that can help you deploy the right protection in the right place."

Editorial standards