April 7, 2019

DDoS attacks are getting more persistent and prolonged, but are more difficult to detect

The large attack surface of communications services providers (CSPs) allows perpetrators to set up sneaky attacks that can easily go unnoticed by conventional intrusion detection systems, but can cause significant damage when attack traffic converges at the destination.  

Our latest research findings reconfirm that DDoS attackers continued to adopt a stealthy approach by orchestrating attacks—piece by piece, little by little—on CSP networks in Q4 2018. The trend was evident in the 3,122.22% year-on-year surge of amplification attacks on the SSDP protocol—which is frequently exploited to further the reach of DDoS attacks, and in our findings, the “bit-and-piece” attacks.  

This trend caused the number of attacks to increase by 36.08% in Q4 2018 from the Q3 2018; the maximum attack size to go up by 49.15%; and the average attack size to go up by 3.75% over the same period. We first identified the bit-and-piece attack pattern in Q3 2018. This new breed of stealthy attack is designed to evade CSP detection by contaminating legitimate traffic across hundreds of IP prefixes with small-sized junk traffic.

Contrast to the sharp rise of SSDP amplification attacks, attacks on other protocols such as UDP, TCP SYN, and IGMP dropped noticeably on a year-over-year basis in Q4 2018. However, overall attack activity was subdued, thanks to the FBI crackdown on the world’s 15 biggest DDoS-for-hire websites, a.k.a. “booters”, in December. As such, the total number of attacks dropped 10.99% from a year ago; the maximum and average attack sizes also decreased 23.91% and 85.36%, respectively, over the year.  


  Q4 2018 Vs. Q4 2017 Q4 2018 Vs. Q3 2018 
Total no. of attack -10.99% +36.08% 


  Q4 2018 Vs. Q4 2017 Vs. Q3 2018
Maximum attack size 176.00Gbps -23.91% +49.15%
Average attack size 1.008Gbps -85.36% +3.75%

 Table 1, 2. YoY and QoQ Comparisons of Total Attacks and Attack Sizes



   DDoS Attack Type
Q4 2018 Vs. Q4 2017 +3,122.22% +118.90% +2.18% -17.10% -77.12% -46.41%
Q4 2018 Vs. Q3 2018 +91.21% +78.80% +194.17% -33.16% -19.34% -20.99%

 Table 3. YoY and QoQ Comparisons of DDoS Attack Types



Our research findings also suggest that attacks were more persistent, targeted and prolonged as well. In one case, a victim was doggedly hit by HTTPS flood attacks nearly every day of December. It was attacked by up to 13 times a day, while these attacks lasted between 28.95 minutes and 1493.93 minutes.


From what we observed, stealthy, well organized and advanced persistent threats (APTs) now underscore the sophistication of modern-day DDoS attacks. The continued exploitation of vulnerabilities in network resources and IoT devices expand the threat landscape.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.