Two vendor reports out this week may be of interest to CISOs in planning their defensive strategies.
—Imperva, a supplier of DDoS protection services, said it found a new attack tactic, nicknamed “pulse wave DDoS”, due to the traffic pattern it generates: A rapid succession of attack bursts that split a botnet’s attack output, enabling an offender to go after multiple targets. One such attack was also the largest network layer assault it mitigated in the second quarter peaked at 350 Gbps.
–Meanwhile Infoblox Inc., which makes IP address management solutions, released a global survey finding that DNS security is often overlooked when it comes to cybersecurity strategy, with most companies inadequately prepared to defend against DNS attacks.
Imperva’s announcement is included in its Q2 Global DDoS Threat Landscape report, on data from 2,618 network layer and 12,825 application layer DDoS attacks on customers’ Websites that use its services.
The pulse wave DDoS tactic was described in an August blog , and researchers think it is designed to double a botnet’s output and exploit soft spots in “appliance first cloud second” hybrid mitigation solutions. “It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.
“Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.”
Researchers suspect the tactic allows the threat actors behind it to switch targets on the fly.
One suggested defence for organizations that have a DDoS mitigation provider is to double checking the ‘time to mitigation’ clause in the service level agreement.
The report also notes two trends: First, the continued decline in network level attacks (at least for Imperva customers) and the continued increase (although in Q2 there was a slight dip) in application level attacks. Second, that the second quarter 75.9 percent of targets were subjected to multiple attacks—the highest percentage the company has seen.Number of targets subjected to repeat DDoS attacks. Imperva graphic
The Infoblox global survey of over 1,000 security and IT professionals found respondents indicating that 86 per cent of those whose firms have DNS solutions said they failed to first alert teams of an occurring DNS attack, and nearly one-third of professionals doubted their company could defend against the next DNS attack. Twenty per cent of companies were first alerted to DNS attacks by customer complaints.
In a release summarizing the survey (available here. Registration required), three out of 10 companies said they have already been victims of DNS attacks. Of those, 93 per cent have suffered downtime as a result of their most recent DNS attack. 40 percent were down for an hour or more, substantially impacting their business.
Only 37 per cent of respondents said their companies were able to defend against all types of DNS attacks (hijacking, exploits, cache poisoning, protocol anomalies, reflection, NXDomain, amplification).
Twenty-four per cent of respondents said their companies lost US $100,000 or more from their last DNS attack.
“Most organizations regard DNS as simply plumbing rather than critical infrastructure that requires active defense,” Cricket Liu, chief DNS architect at Infoblox, said in the release. “Unfortunately, this survey confirms that, even on the anniversary of the enormous DDoS attack against Dyn—a dramatic object lesson in the effects of attacks on DNS infrastructure—most companies still neglect DNS security. Our approach to cybersecurity needs a fundamental shift: If we don’t start giving DNS security the attention it deserves, DNS will remain one of our most vulnerable Internet systems, and we’ll continue to see events like last year’s attack.”