Over the last decade, DDoS attacks have proliferated, possibly becoming the primary threat for every website or web application. The ultimate goal is to bring down sites by flooding them with fake requests, usually from multiple locations. The outcome of such attacks ranges from slow page loads to blocking legitimate traffic.
Among the thousands of DDoS attacks that happen every day, you’ll find attacks that last a number of days, as opposed to short-duration attacks that only take a few minutes for attackers to coordinate and launch at a time. These attacks are becoming much more commonplace, whether the goal is to take a site down or if they’re used as a smokescreen to divert site owners’ attention. In this article, I would like to share our real life experience with short-duration DDoS attacks, addressing what happens when this type of attack targets multiple sites simultaneously.
5 Short Attacks in 3 Days
We recently witnessed a three day, continuous attack that targeted two domains of a well-known bank. On the first day, the bank suffered a significant volumetric attack that lasted five to six minutes, but consumed bandwidth at a rate of dozens of gigabytes per second. Another attack, that lasted fifteen minutes, took place on the second day, targeting the second domain of the bank. On the third day, the same domain that was targeted the previous day was hit with a long duration attack. We could see that the first and second attacks were reconnaissance attacks, executed to evaluate which of the two domains was more vulnerable. It is clear that the second domain was more susceptible since it was hit much harder in the third attack.
In parallel, we detected that there was another short-duration spike attack that targeted one of our Telco customers. Just two hours later, there was another attack against a large utility organization. Because of this pattern, we were able to identify that all three attacks were performed by the same attacker and could warn and better protect our customers against further attacks.
Comparing the volume of bandwidth we’ve encountered on the first day of the attacks, to a DDoS attack’s average peak size of 7.39 Gbps, as reported by SCMagazine, we can see that short-duration attacks use large volumes of traffic in short, shotgun-like bursts. Attackers leverage these short-duration attacks to evaluate which companies and organizations are easiest to infiltrate. We assume that this also has to do with the availability of resources. These types of attacks are more likely to come from smaller, private groups that are shorter on resources, as opposed to criminal groups or countries which have access to unlimited resources and can therefore launch long-duration attacks from day-one.
Here’s what we’ve seen over time:
When it comes to short-burst attacks, time is of the essence. Attacks are likely to go under the radar and leave no time to respond. Organizations managing multiple web domains must have the ability to centralize incoming data, preferably by working with the same security vendor across all their domains. This enables them to predict attacks by analyzing trends and patterns across their sites. Organizations should demand this capability from their security vendors, who should also be willing to use data from various customers in order to predict potential attacks on other customers, as described in the above case study.
We see a growing number of short duration attacks across our customer base. Awareness to this new pattern is key: customers typically assume that the attack is over, while this may actually be a sign for a much larger attack coming through.
In light of this new pattern using services and tools that can aggregate attack information across customers and websites is an ideal way to predict and avoid the massive DDoS attacks about to come.