The IT/Cloud/SaaS industry, representing 45% of mitigation activity, was the most frequently targeted industry by DDoS attacks for the twelfth consecutive quarter according to the latest Verizon Trends report.
The Reston, Va.-based Verisign’s Distributed Denial of Service Trends Report for the third quarter of 2017 also revealed financial services represented 20% of mitigations; and 88% of the attacks mitigated from July 1, 2017 through September 30, 2017 employed multiple attack types.
There is a brighter side however. Overall the number Verisign saw a 17% decrease in the number of attacks, and a 70% decrease in the peak size of the average attack comparing Q3 2017 to Q2 2017. Nevertheless, DDoS attacks remain unpredictable and vary widely in terms of speed and complexity. They still remain unpredictable as attackers continue to launch repeated attacks against their targets. In fact, Verisign observed 45% of customers who experienced DDoS attacks in Q3 2017 targeted multiple times.
Fifty-six percent of DDoS attacks were User Datagram Protocol floods, which overwhelms ports with IP packets. The most common UDP floods included Domain Name System, Network Time Protocol Simple Service Discovery Protocol, Character Generator Protocol and Simple Network Management Protocol reflective amplification attacks.
The largest volumetric DDoS attack observed by Verisign in Q3 2017 was a multi-vector attack that peaked at approximately 2.5 Gbps and around 1 Mpps for one hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods; DNS, ICMP and Chargen Amplification attacks, and invalid packets. The different attack vectors required continuous monitoring and changing of countermeasures to effectively mitigate. The highest intensity packet flood in the quarter, consisting of a TCP SYN and UDP floods mixed with invalid packets, peaked at approximately 2.3 Mpps and around 1 Gbps. That attack lasted approximately two and a half hours.
Verisign DDoS Trends Reports throughout 2017 have reported a decline in the size and number of DDoS attacks. “This trend does not necessarily mean, however, that DDoS attacks are going away or that companies should be complacent,” the research warned. “Now is a good time for organizations to review all aspects of their network and application security solutions to protect themselves against DDoS attacks or future security threats.”
According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average consolidated cost of a data breach is $4 million. Organizations usually have a strategy in place to deal with DDoS attacks hitting their network and applications, but Verisign asked what happens if an internal user on their own network pulls in malware via an inadvertent outbound request?
Cloud-based DDoS protection services focus on monitoring inbound internet traffic to a customer’s critical IP network. The technology typically uses signature analysis, misuse detection and dynamic profiling. Signature analysis and misuse detection look for deviations that may indicate a DDoS attack. Dynamic profiling establishes normal traffic patterns and identifies deviations, which then trigger alerts for further investigation. For example, traffic levels reaching or exceeding predefined thresholds could indicate a DDoS attack. So, when a wave of volumetric or malformed traffic hits the customer’s network, alerts become activated. DDoS monitoring solutions only provide visibility into the inbound traffic.
What about outbound traffic sent from the network? While variations in outbound traffic patterns happen for many reasons, they can also indicate botnet-compromised endpoints, used to exfiltrating data or for other malicious purpose.
Verisign noted the challenge of gaining visibility into outbound DNS requests. Firewall administrators tend to ignore DNS request logs due to the volume, but observing network outbound traffic is the first step to preventing communication with malicious end points. “Deploying security technology such as DNS firewall, email filtering and other security solutions, and keeping them up to date, is a good place to start. No technology offers 100% network protection; organizations need to implement a layered approach to security that includes both technology and user education.”
