DDoS attacks, at any volume, are one of the most prominent cyber threats nowadays, as they are fairly simple to execute. Many reports and articles have been introduced to the public, showcasing the massive incline of DDoS attacks, with the stipulation that this year will see a record of over 15 million launched DDoS attacks.
As DDoS-as-a-service can cost as little as $500, it is easier for attackers to launch malicious and complexity-varied attacks to shut down enterprises’ online services, no matter the industry. 5% of organizations that suffered DDoS attacks lost more than $1 million due to the attack, whether in direct losses, downtime costs, or even reputational damage.
For example, LG Uplus, the Korean Telecommunications giant, eventually endured an expense of over $100 million in damages, client compensation, and security upgrades, all due to one implication of a DDoS attack.
What type of DDoS attack will succeed?
Many DDoS protection providers publicize success at thwarting large-scale and complex DDoS attacks. But the reality is that many successful DDoS attacks use short, intermittent, and sometimes even specific low-volume DDoS attack vectors.
Verizon’s 2023 “Data Breach Investigations Report” stipulates that there is a resurgence of low-volume attacks that still cause issues for corporations, but this is not to say that low-volume DDoS attacks are the new norm. In late 2022, Impreva reported an 81% increase in large-volume DDoS attacks, especially Layer 7 DDoS attacks of at least 500,000 requests per second (RPS).
As the cost of bandwidth and CPU processing is more accessible, DDoS perpetrators use their newfound capabilities to launch massive attacks, sometimes reaching a staggering 71 million RPS. But large-volume attacks are relatively easy to notice, even if sometimes not so easy to mitigate.
What organizations should actually be concerned about are the low-volume DDoS attacks that slip through DDoS protection’s cracks.
Just because they are low-volume DDoS attacks, it doesn’t necessarily mean that they aren’t dangerous. In fact, low-volume DDoS attacks tend to succeed more than large-volume attacks simply because they are harder to detect.
What are Low-Volume DDoS attacks?
Low-volume DDoS attacks rely on a small stream of slow traffic targeting a victim’s online services, whether on an application (layer 7) or server resources (layers 3 and 4). Furthermore, low-volume DDoS attacks require little bandwidth and may be a challenge to mitigate, as they generate so little traffic that an organization may not realize they are under a DDoS attack when their services are unavailable to legitimate traffic (ie. end users).
Low-volume DDoS attacks tend to be HTTP and HTTPS oriented but can also involve TCP sessions with slow transfer rates that attack any TCP-based service. The most common Low-volume DDoS attacks are the Slowloris attack, Tor’s Hammer attack, and the THC-SSL.
Because low-volume DDoS attacks don’t require extensive resources to launch, they can be carried out from a single machine, thus virtually anyone can launch such an attack. That is also the reason these attacks are very popular among DDoS-for-hire services.
The dramatic incline of vulnerable IoT devices makes it easy for DDoS attackers to muster up huge botnets which can be used for DDoS-for-hire attacks, but not just. Thus, we’ve encountered a situation where some of the most successful DDoS attacks of recent years, including the attack on Microsoft 365, were in fact, multi-vectored attacks that used low-volume vectors along with others.
How to protect against low-volume DDoS attacks?
The only way to protect against low-volume DDoS attacks and keep online services up and running is to continuously uncover blind spots and remediate the most relevant DDoS risks. Even with the best DDoS protection solution in place, every organization suffers up to 75% DDoS exposure.
Organizations are extremely vulnerable to DDoS attacks, and a perpetrator choosing a malicious combination of a multi-vectored DDoS attack that combines a low-volume attack will most likely succeed.
In fact, as we’ve recently seen in many cases, including the infamous Microsoft attack, it can only take one successful low-volume DDoS attack to shut down online services. Thus, in order to achieve true DDoS resilience, an organization must have complete visibility into its DDoS security posture, with continuous and non-disruptive DDoS testing against all known and unknown attack vectors.