Small DDoS Attacks on the Rise: Why These Supersized Assaults Are Going Tiny

November 21, 2019

When it comes to distributed denial-of-service (DDoS) attacks, there is a set expectation among security professionals about what they look like and how they seek to achieve their aims. DDoS attacks are known for their ability to overpower major systems with data via huge amounts of traffic. This creates knock-on effects for the broader internet, impacting individual users and attracting big headlines.

Over the last few years, innovative attackers have developed methods capable of producing staggering volumes of traffic. In an amplified DDoS attack, a hacker will send requests to a server while pretending to be the target of the attack. The server then sends its reply to the victim with significantly more traffic than the attacker sent in the first place.

This has the effect of both obscuring the source of the attack and significantly increasing the scale of the attack. In the case of one such method, Memcached, this amplification can boost the volume of data in the attack by up to 51,000 times; this is how one of the largest DDoS attacks yet verified, against Github in early 2018, reached traffic levels of 1.35Tbps. A similar attack in 2016 against a then DNS provider Dyn knocked out large parts of the internet for many users, including Amazon, Netflix and Reddit.

The Rise of Tiny DDoS Attacks

Despite their reputation as brute force attacks, DDoS incursions are increasingly diversifying as hackers learn that smaller, more targeted attacks often deliver the anticipated outcomes while going under the radar. In fact, while large attacks of 100Gbps and above have fallen by 64 percent over the last year, there was a startling 158 percent increase in attacks sized 5Gbps or less.

As an attack decreases in size, it may not register on an organization’s set threshold for mitigation, allowing it to continue longer that it otherwise would. These smaller, precision DDoS attacks might be used as a tactic in a multi-vector attack to target a specific weak point of an organization’s infrastructure – such as a specific server or even an API.

In the evolving landscape of cyber threats, DDoS is turning into a more surgical tool which, when used alongside other methods, can lead to more damage and be longer lasting than simply taking a website offline.

Stealth Is the New Strength

Staging a major assault has never been less challenging. Where an attacker may have previously needed to spend time and resources building out a botnet, hoping to scale it up to the necessary size without being detected, today one can be rented for as little as $50 a day. Furthermore, instead of figuring out their own attack methodology, attackers can now contract a ‘booter’ or stressor service to do the work for them. But even as the lucrative DDoS-for-hire marketplace is thriving, it’s the tiny attacks that may yet pose the biggest challenge to organizations.

Performing a small-scale attack is a conscious, tactical choice designed to fly under the radar of traditional mitigation strategies. The traffic flow involved may be so small that not only does the server stay online, but the defensive tools aren’t even triggered. This stealth approach broadens the scope for more specific protocol attacks which target elements of the system that sit between the public internet and the target network. Sometimes these are designed to add undue load to the router’s CPU; sometimes they target load balancers to limit site usability; sometimes they fill up firewall state tables, leaving the system more vulnerable.

In this way, smaller, more precise DDoS methods can create opportunities for attackers to fulfill their actual goal, whether that is data theft, system intrusion, or business disruption. In some cases, degrading website performance over the long term, rather than disabling the website entirely and triggering a response to the threat, constitutes success from the attacker’s perspective. And given that, according to recent data from Neustar International Security Council members, just 28 percent of organizations consider themselves to be ‘very likely’ to spot an attack of this size, the appeal of sub-5Mbps attacks is clear.

At its heart, this is an underdog story. It will always be crucial to defend against goliath-level brute force attacks, but organizations must always be aware of how attackers are changing their tactics and methods. Being unaware of these tiny attacks could create a ‘death by 1,000 papercuts’ paradox. In the words of iconic Austin indie rockers Spoon, “you got no fear of the underdog, that’s why you will not survive.”

Businesses must evolve their defensive methodologies, to be ‘always on’ within the flow of traffic mitigating against small, as well as large attacks and to match shifting tactics.

Rodney Joffe is Security CTO, SVP and Fellow at Neustar.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.