There's the long-lasting, loud DDoS attack that takes down a website or disrupts a company's network operations, but there's also a stealthier, shorter-burst DDoS meant to fly under the radar while sapping just enough bandwidth or network resources to perform more nefarious activity, like silently stealing information.
That type of DDoS, which doesn't suck massive amounts of bandwidth so may not be easily detectable, is typically just one element of a multi-vector attack: DDoS attacks of under 5 gigabits-per-second at peak and lasting less than 10 minutes represent nearly 80% of the DDoS attack attempts spotted by in-line DDoS prevention vendor Corero Network Security, the company says in a new report published today.
The goal of this short, low-saturation DDoS is typically to bypass security defenses or to consume security logs and to ultimately hide other activity the attackers have under way, says Dave Larson, CTO and vice president of products at Corero.
Corero also found a large number of short-burst DDoS attacks lasting anywhere from 5- to 30 minutes. Some 96% of DDoS attacks against its service provider and enterprise customers' networks lasted less than 30 minutes, and 73%, less than five minutes.
These mini-DDoS attacks shouldn't be confused with low-and-slow attacks against the application layer, such as Slowloris-style ones, Larson says, which are often tailored to for true denial-of-service purposes.
"It's a smokescreen effect," Larson says of the short-burst network DDoS attacks. "If they send [traffic] in short-duration, 3 Gig packet rates [at the most], it's not going to cause service degradation" in a large data center, Larson says. "You might see that class of attack good enough to degrade a firewall or IPS … It might allow a connection to remain open during the attack."
These attacks leave plenty of headroom for attackers to execute an exploit, he says, all under the cover of a quiet DDoS attack. "The victim doesn't even know it occurred because it may not be noticeable."
This brand of DDoS is likely the handiwork of more sophisticated attackers such as nation-state cyberspies, who use it to pilfer sensitive information, he says. "DDoS can be useful to degrade the security perimeter, and this can be sent at a rate that saturates all the logs," he says.