Hit-And-Run Tactics Fuel Growth In DDoS Attacks

A majority of organizations in Imperva DDoS study suffer multiple consecutive attacks.

Many threat actors behind distributed denial of service (DDoS) attacks against enterprises appear to be increasingly employing hit-and-run tactics to make their campaigns more effective.

Security firm Imperva recently analyzed data collected from its customers while mitigating DDoS attacks on their networks between April 2015 and March 2016. The data showed a 211% increase year over year in the number of DDoS attacks directed against its customers. On average, Imperva mitigated about 445 DDoS attacks per week over the one-year period.

At least some of the growth in the number of DDoS attacks recorded by Imperva had to do with the increased use of hit-and-run tactics by threat actors. These are attacks where a single assault is executed in multiple smaller and consecutive attack-bursts, according to Imperva.

The goal in using the tactic appears to be to exhaust mitigation teams by keeping them on high alert status for prolonged periods of time. Attackers could also be employing the tactic to confuse mitigation teams and divert attention away from other, more surreptitious malicious activity directed against their networks, Imperva said in its report.

More than 40% of the DDoS victims that Imperva counted last year in fact were attacked more than one time. About 16% were targeted at least five times or more. A comparison of DDoS data from the four quarters that Imperva inspected showed a gradual uptick in the use of such hit-and run tactics, the company noted.

“We have been seeing hit-and-run attacks for the last four quarters,” says Tim Matthews, vice president of marketing at Imperva. “They are really an evolution of multi-vector attacks, where criminals realize that large frontal attacks alone may no longer be successful.” 

The increased use of DDoS-for-hire services also contributed to the overall uptick in DDoS attacks last year, according to Imperva. The number of attackers using paid “booters” or “stressers” to direct DDoS traffic against specific targets jumped from around 64% in the second quarter of last year to 93% in Q1 2016.

With some booter services starting at just $5 for a minute-long attack, many of those engaged in such activity are likely non-professionals, Imperva said in its report.

The biggest impact for enterprises from such attacks is potential revenue loss, Matthews says. “This is especially pronounced for companies that depend on uptime for revenue, notably gaming and ecommerce companies,” he says.

In addition to an increase in overall numbers, DDoS attacks also increased in size.

Many of the network-layer attacks that Imperva handled for customers last year exceeded 200 Gbps, with one even exceeding a massive 470 Gbps in size. That attack is the largest that Imperva has seen to date, according to Matthews. Attackers often used small network packets to maximize packet forwarding rates and throughput capacity.

In terms of sheer number, however, application-layer assaults accounted for 60% of all DDoS attacks that Imperva mitigated last year.  

“Attackers are continuing to evolve,” Matthews says. “The sophistication of attacks, and the targeting of applications rather than networks, means that simple mitigation techniques that used to work – like configuring routers or firewalls to block attacks – are likely not working, and may offer a false sense of security.”

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights