Most distributed denial of service (DDoS) attacks now appear to be aimed at distracting IT and security teams, a survey by communications and analysis firm Neustar has revealed.
“DDoS attacks are no longer mainly about taking websites offline by flooding them with requests, but about providing cover for installing malware and stealing data,” Neustar product marketing director Margee Abrams told Computer Weekly.
In launching “low and slow” DDoS attacks, she said, the attacker disrupts operations and distracts security teams, while keeping the target network operational enough to plant malware and exfiltrate data.
“In this way, smaller attacks can be more dangerous than a powerful DDoS attack that knocks a company offline but does not install malware or steal data,” she said.
In recent years, the size of DDoS attacks aimed at overwhelming company websites and services has been tracking upwards, peaking at around 300Gbps, but this latest survey from Neustar shows a shift towards smaller, but repeated attacks.
Attacks leave malware in their wake
According to the survey, around 40% of DDoS attacks on European firms are relatively small, at less than 20Gbps, while only 2% of attacks reported were greater than 100Gbps and 18% were between 10Gbps and 20Gbps.
However, more than half of all European companies polled reported repeated attacks – rising to 77% in the retail sector – and 54% of all companies reported that they had been hit at least six times.
At the same time, more than a third of companies discovered malware installed on their systems in the wake of a DDoS attack and 25% found that data or funds had been stolen, with the retail and financial services sectors being worst hit.
While 82% of retailers reported that they had been targeted by DDoS attacks, 77% said the DDoS attacks were linked to a data breach.
In the financial services sector, 54% of DDoS attacks were less than 5Gbps in strength, but 43% of attacks were linked to malware.
“These are targeted attacks that appear to be aimed at cloaking the installation and use of data-stealing malware,” said Abrams.
DDoS attacks present growing financial and reputational risk
The survey also found that the duration of DDoS attacks is increasing, with 40% of attacks lasting more than a day and 10% lasting around a week.
“These longer attacks are providing a bigger window of opportunity to install malware and steal data,” said Abrams. “At the same time, longer attacks are causing a sustained threat to businesses’ profitability and brand reputation.”
In March 2015, a survey published by Neustar revealed that DDoS attacks could expose 40% of businesses in Europe to losses of £100,000 or more an hour at peak times.
In addition to the cost of downtime, Abrams said there is also the cost of dealing with increased demand on customer service call centres, risk management costs and even marketing costs to restore trust and brand reputation.
In the latest survey, 90% of respondents viewed the threat from DDoS attacks as being equal to or greater than a year ago.
Reducing the impact of attacks
Concern about data breaches is, however, driving organisations, more than ever before, to take steps to mitigate against DDoS attacks, said Abrams.
“There is no way of preventing DDoS completely, but more companies are beginning to understand the importance of being able to mitigate these attacks when they occur,” she said.
According to the survey, more than half of those polled are dedicating six or more staff members to deal with DDoS attacks and 73% are investing more in DDoS mitigation than last year.
The survey also showed that 46% of European companies that have experienced DDoS attacks are now using a mix of on-premise and cloud-based services for DDoS mitigation.
Abrams said hybrid solutions are enabling comprehensive and rapid DDoS protection for a wider range of business with different risk profiles, technical environments and budgets.
However, in the light of the latest trend to low and slow attacks, she said companies also need to be on the lookout for other indicators of compromise whenever they are targeted by a DDoS attack.
“Companies should not neglect to monitor their network and investigate things like peaks in outbound traffic and traffic going out to unfamiliar IP addresses,” said Abrams.
DDoS attacks for monetary gain
In addition to repurposing DDoS attacks as a cover for planting malware, she said attackers are also continuing to use DDoS attacks, or at least the threat of DDoS attacks, to extort money.
In June, Computer Weekly reported that a gang using DDoS attacks to extort bitcoins since July 2014 appeared to be ramping up operations.
The group, calling itself DD4BC (DDoS for Bitcoin), had increased the frequency and scope of its DDoS extortion attempts, shifting from targeting Bitcoin exchanges to online casinos, betting shops and prominent financial institutions.
According to Abrams, the group’s activities appear to be continuing, most recently targeting government organisations.
“This is a very low-cost, low-risk way to make money, but organisations should consider very carefully before paying what the attackers demand. These attacks will continue as long as they are successful, but by investing in mitigation capabilities, organisations can protect themselves as well as drive up the cost for attackers,” she said.