29 Percent of Attacks Employed Five or More Attack Types

09:15 | 03/01/2018 Science - Technology

(VEN) - Verisign saw that 88 percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multiple attack types, 29 percent of attacks employed five or more attack types.

Verisign just released its Q3 2017 DDoS Trends Report, which represents a unique view into the attack trends unfolding online, through observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of Verisign DDoS Protection Services and security research conducted by Verisign Security Services.

Number of Attack Types per DDoS Event in Q3 2017

Verisign saw that 88 percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multiple attack types, 29 percent of attacks employed five or more attack types; however, the number of attacks have decreased since Q2 2017. 56 percent of DDoS attacks were User Datagram Protocol (UDP) floods.

Average Peak Attack Size by Quarter from Q4 2015 to Q3 2017

The IT/Cloud/SaaS industry, representing 45 percent of mitigation activity, was the most frequently targeted industry for the twelfth consecutive quarter. The Financial Sector industry experienced the second highest number of DDoS attacks, representing 20 percent of mitigation activity.

The largest volumetric and highest intensity DDoS attack observed by Verisign in Q3 2017 was a multi-vector attack that peaked approximately 2.5 Gigabits per second (Gbps) and around 1 Million packets per second (Mpps). This attack lasted approximately two and a half hours. The attack was notable because it consisted primarily of a wide range of attack vectors including TCP SYN and TCP RST floods; DNS, ICMP and Chargen Amplification attacks, and invalid packets.

Comprehensive Network Protection - Inbound and Outbound

Verisign DDoS Trends Reports throughout 2017 have reported a decline in the size and number of DDoS attacks. This trend does not necessarily mean, however, that DDoS attacks are going away or that companies should be complacent. Now is a good time for organizations to review all aspects of their network and application security solutions to protect themselves against DDoS attacks or future security threats.

According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average consolidated cost of a data breach is $4 million.1 Organizations usually have a strategy in place to deal with DDoS attacks hitting their network and applications, but what happens if an internal user on their own network pulls in malware via an inadvertent outbound request?

Today’s One-Way View - Inbound Only

Cloud-based DDoS protection services focus on monitoring inbound internet traffic to a customer’s critical IP network. The technology typically uses signature analysis, misuse detection and dynamic profiling. Signature analysis and misuse detection look for deviations that may indicate a DDoS attack. Dynamic profiling establishes normal traffic patterns and identifies deviations, which then trigger alerts for further investigation. For example, traffic levels reaching or exceeding predefined thresholds could indicate a DDoS attack. So, when a wave of volumetric or malformed traffic hits the customer’s network, an alert is raised for investigation.

DDoS monitoring solutions only provide visibility into the inbound traffic. What about outbound traffic sent from your network? While variations in outbound traffic patterns can happen for many reasons, they can also indicate that compromised endpoints are participating in a botnet, exfiltrating data or being used for other malicious purpose. How do organizations know if an internal user is participating in a botnet or communicating with a command-and-control server or other malware? How do they know if data is being exfiltrated? Monitoring outbound DNS traffic can help.

How to Monitor Outbound Traffic

Gaining visibility into outbound DNS requests can be challenging. Firewall administrators tend to not look at DNS request logs due to the volume, but knowing what is sent out on your network is the first step to preventing communication with malicious end points.

Deploying security technology such as DNS firewall, email filtering and other security solutions, and keeping them up to date, is a good place to start. No technology offers 100 percent network protection; organizations need to implement a layered approach to security that includes both technology and user education.

As attackers grow increasingly adept at creating “smarter” malware to circumvent individual protections, it becomes more important to layer these and other security controls, including measures at the DNS level.

Minh Ky