This article is part of our Essential Guide: How to attack DDoS threats with a solid defense plan

DDoS a top security and business issue, study shows

DNS should be at the core of information security strategies as DDoS attacks increasingly form part of wider cyber attacks and continue to ramp up to unprecedented levels, warns Neustar

Distributed denial of service (DDoS) attacks are often used in conjunction with other forms of cyber attack, but on their own can have a devastating impact on business, a study shows.

A DDoS attack can cost an organisation more than $2.5m in revenue on average, according to the May 2017 DDoS and Cyber Security Insights Report by information services firm Neustar.

Globally and in the Europe, Middle East and Africa (Emea) region, 43% of the more than 1,000 information security professionals polled said more than $250,000 of revenue an hour was at risk, while UK retailers said DDoS attacks typically put $100,000 to $250,000 revenue an hour at risk, the report said.  

The business implications of this are clear in the light of the fact that 84% of organisations polled reported that they were targeted by DDoS attacks in the past year, that the number of DDoS attacks increased 15% in the past year, and that no industry sector was spared.

In addition, the survey found that the proportion of attacks greater than 10 gigabits per second (Gbps) was up 11% on the previous year to 45%, that almost half  (45%) of the organisations targeted by DDoS attacks said they had been hit more than five times, and that DDoS detection and response times are slowing down rather than speeding up.

Less than a quarter (23%) of organisations said they are able to detect and respond to DDoS attacks in under an hour, a decline of 5% and 3% respectively compared with the previous year. Only 29% said they were able to respond in one to two hours, a decline of 4%.

This means 48% of organisations polled take three hours or more to respond to a DDoS attack.

The proportion of organisations taking three to five hours to respond increased by 4% to 28%, while those taking 6 to 12 hours increased 2% to 14%. The proportion of companies taking 12 to 24 hours to respond was unchanged at 4%, while those taking more than a day increased to 2%. 

A UK retailer taking two hours to resolve a DDoS attack could expect a financial impact of between £154,000 and £386,000 based on the Neustar findings.

The survey also revealed that 40% of respondents reported receiving attack alerts from customers, up from 29% in 2016. 

IoT-based DDoS attacks

Although sub-10Gbps attacks were down 5%, the proportion of attacks that were 50Gbps or greater was 15%, almost double the figure for the previous year. This increase in larger attacks is a clear indicator of the appearance of internet of things-driven botnets as a DDoS attack vector, the report said.

“The Mirai botnet attacks were a wake up call,” said Deborah Clark-McGinn, senior director of product marketing at Neustar.

“What most organisation have in place [to deal with DDoS attacks] is not enough, especially in the face of new and emerging attack methods. Most organisations have some sort of DDoS protection in place, yet 90% [of those polled] are investing more than they did a year ago, and 36% think they should be investing even more.”

Research shows that the first of the DDoS attacks by the Mirai botnet were around 500Gbps in size and targeted Olympic websites in August 2016, but failed to cause noticeable disruptions and did not hit news headlines.

However, IoT-based DDoS attacks did hit the headlines when investigative journalist Brian Krebs was targeted in September 2016 and his Krebs on Security website was hit by attacks of around 650Gbps.

A week later, French hosting firm OVH was hit by an attack that peaked at more than one terabits-per-second (1Tbps) or 1,000 Gbps.

The following month, domain name system (DNS) services supplier Dyn was hit by even greater attacks of reportedly around 1.2Tbps.

The attack on Dyn highlighted not only the threat of IoT-driven DDoS attacks, but also the importance of DNS to cyber security.

DNS is vital to most business communications and Neustar is seeing a rise in attacks on fundamental internet components such as DNS, and yet it is often overlooked in organisations’ cyber security strategies.

“In an increasingly connected world, Neustar believes that DNS should be the core of an organisation’s [cyber] security strategy,” said Clark-McGinn. In most organisations, she said, DNS falls under the network infrastructure function and “does not necessarily sit under the security umbrella”.

A ‘race against crime’

Clark-McGinn also highlighted the fact that DDoS attacks are increasingly part of wider cyber attacks and are often accompanied by malware infections.

“DDoS attacks are often used as a smokescreen to distract security teams while other malicious activity is carried out,” she said.

The survey revealed that in European organisations polled, 42% said DDoS attacks were accompanied by malware infections, up 10%, and 27% of DDoS attacks in the past year were accompanied by either ransomware or attempts to extort money by threatening further DDoS attacks, which is almost double the 2016 figure of 15%.

Globally, 23% of DDoS attacks were accompanied by ransomware infections or threats of further, more powerful DDoS attacks for extortion, an increase of 53% compared with the previous year.  

“We are seeing that the ability of organisations to detect and respond to DDoS attacks is a race against crime. DDoS attacks are gaining in popularity among attackers, and so it is something organisations have to figure out a way to deal with,” said Clark-McGinn.

“Customer data theft was reported in 27% of DDoS attacks in Europe, up 5% from previous year, which is a huge concern, especially in the light of the new European data protection laws,” she said. A quarter of European companies hit by DDoS attacks also reported loss of customer trust and brand damage.

Tech firms invest to mitigate attacks

One of the positive findings of the research is that technology companies are leading the pack in terms of successful DDoS mitigation strategies.

“Technology firms are definitely a target with 85% of tech firms polled reporting DDoS attacks, which is an increase of 2% on the previous year, but the proportion of tech firms being attacked more than one is down 11%, the proportion of tech firms taking a minimum of three hours to respond is down 15%, and the proportion of finding out about DDoS attacks from customers is down 13%, while investment in DDoS mitigation is up 11%,” said Clark-McGinnn.

“Tech companies are getting it. They are investing effectively. They are figuring it out because they have felt the pain and they are investing to the right level to mitigate these attacks. Tech firms are always going to be a target of DDoS attacks, but it is important to note they are investing more and seeing positive results,” she said.

Another positive trend is that organisations are moving away from “traditional” DDoS mitigation approaches such as firewall protections by internet service providers, which is down 5% while the proportion of companies using cloud-based mitigation services is up 5% to 54%.

The proportion of companies using a hybrid approach that combines on-premise DDoS appliance with mitigation services is up 8% to 46%, and the use of mitigation services is up 14% to 45%, the poll shows.

“These findings show that organisations are beginning to recognise that they need defences that are specifically for DDoS in the light of the fact that attacks are getting bigger and more complex,” said Clark-McGinn.

Increase of CLDAP and GRE attacks in 2017

The 2017 first quarter attack data from the Neustar DDoS Security Operations Center (SOC) shows that the year is off to a fast start in terms of DDoS attacks.

Although the fourth quarter is generally considered “DDoS season”, when the biggest attacks of every year tend to coincide with the end-of-year holiday shopping, Clark-McGinn said the first quarter attack data indicates that 2017 will be another challenging one from a DDoS threat landscape perspective, with Mirai-style IoT botnet-driven attacks likely towards the end of the year.

“The Q1 data shows we are already seeing significant increases in average attack size and variety of attack types, with the number attacks in Q1 almost double the number in Q1 of 2016 and 81% being multi-vector attacks in which attackers are switching between a variety of attack methods,” she said.

The data shows that attackers are continuing to seek new ways to turn legitimate infrastructure elements against their owners, with new trends appearing in the first quarter.

Generic routing encapsulation [GRE]-based flood attacks and connectionless lightweight directory access protocol [CLDAP]-reflection attacks are emerging as the new hot attack trends for 2017,” said Clark-McGinn.

“The reason CLDAP-reflection is scary is that it enables cyber criminals to carry out huge volumetric, quick ramping attacks, and that it comes from servers inside organisations that are typically not well-protected,” she said.

Clark-McGinn expects to see more CLDAP-based DDoS attacks later in the year, but said GRE-based attacks are “even scarier” because GRE tunnels are traditionally used by DDoS mitigation services to protect organisations by shielding network traffic from attackers.

“Attackers are now finding ways of infiltrating GRE tunnels and cause havoc because it is becoming difficult to tell what is legitimate traffic and what is bad traffic, and if attackers master the use GRE tunnels to carry out DDoS attacks, it will make DDoS mitigation a lot trickier,” she said.

Neustar aims to be ‘world’s largest’ DDos mitigation network

In the light of the trends in DDoS attacks, especially large volumetric attacks, McGinn said Neustar is building a 10Tbps Global Defense Network, and has completed the first phase, which means the company has tripled its global DDoS mitigation network capacity to 3Tbps.

Neustar plans to be at 6Tbps capacity by third quarter, at 8Tbps by fourth quarter and at its goal of 10Tbps by early 2018, with 27 global nodes, including London, Amsterdam and Frankfurt. The result, the company believes, will be the world’s largest, most distributed, most technically advanced DDoS mitigation network.

Barrett Lyon, pioneer of the DDoS defence industry and head of research and development at Neustar Security Solutions, said in a statement: “We are pushing the limits of what was already considered a standard. We’re going well beyond any of our competitors or visions I had 20 years ago.

“With the completion of our new global constellation of scrubbing centres, we will have the largest, most distributed and technically advanced DDoS defense network on the planet. We will not only be defending our large enterprise clients but also handling the overflow traffic many other providers will have during large attacks,” he said.

Read more about DDoS attacks

Read more on Hackers and cybercrime prevention