At Corero, we understand that early detection is a fundamental part of any security solution. When most people think of distributed denial of service (DDoS) attacks, they think of massive volumetric attacks that crash websites or networks. In reality, the majority of DDoS attacks are small in size and duration; i.e., only a few minutes long, and under 1 Gbps, which makes them difficult to detect. Most legacy and homegrown DDoS mitigation tools are generally configured with detection thresholds that ignore that level of activity.
A recent Cyber Security Intelligence article pointed out that rapid detection is crucial for enterprise security:
“There are now so many cyberattacks that many enterprises simply accept that hackers and bad actors will find ways to break into their systems. A strategy some large businesses have developed over the past two years has been to quickly identify and isolate these attacks, possibly by shutting down part of a system or network so the hackers won’t get days or weeks to root around and grab sensitive corporate data.”
The problem is that low-threshold attacks are increasingly used to mask security breaches. The hackers use a 1-2 punch; first the DDoS attack, then the security breach. If it even catches the attention of IT security, a DDoS attack serves as a smokescreen to distract IT teams from the real breach that’s taking place, which could involve data being exfiltrated, networks being mapped for vulnerabilities, or infiltration of ransomware.
Time Delays between Detection and Remediation
Even if your anti-DDoS system does notice a low-threshold attack, can you be sure you block it before the damage is done? Hackers can steal data or implant malware in a matter of seconds or minutes, and time is of the essence.
For example, if you’re using an out-of-band scrubbing center your IT security team must first observe suspicious/attack traffic and re-route the bad traffic to a scrubbing center, and return the good/legitimate traffic to its intended target. There’s often a lengthy delay between detection of the attack and when the actual remediation efforts begin.
If your IT security system fails to detect and block the majority of DDoS attacks, how can you be sure that your network is truly safe from other incursions? No matter what level your DDoS threat is, it’s essential to have a granular DDoS detection solution that can catch all DDoS attacks in real-time, and block them automatically. For more information, contact us.