Decoded: Burst attacks

The tactics used by cybercriminals are evolving all the time, with ‘burst attacks’ the latest evolution of distributed denial of service attacks. But there are ways to counter them.

By Aled Herbert

Thu 18 Oct 2018 @ 12:03

I've heard burst attacks are causing a bit of concern. What are they and how worried should I be?

Burst attacks are also known as 'hit and run' distributed denial of service (DDoS) attacks. DDoS attacks have been with us a long time and the methods used by criminals are always evolving. Burst attacks are one of the most recent evolutions.

With traditional DDoS the typical attack pattern is a high-volume flow of traffic that ramps up gradually and then descends again or ceases suddenly.

Burst attacks are more dramatic. Rather than a gradual increase in traffic volume, attackers use short bursts of high-volume traffic in random attack waves. While each burst might only last a matter of seconds, the attack is sustained over hours or days. In some burst attacks, defences need to cope with hundreds of gigabits each second.

How do burst attacks work and what organisations are under threat?

Burst attacks are often targeted at sites and service providers that need to provide high level of availability and session integrity. Even a small disruption in service levels can cost money, lose customers and damage brand reputation.

Typically, attacks are made up of a number of changing vectors, including arriving from distributed geographical locations and using different kinds of network data to bombard organisations. With an increasing number of devices connecting into corporate networks and cloud-based infrastructure, there is also the potential for these to be used by hackers to generate excess network traffic that could impact other services.

According to a report from Cisco, attackers often mix things up – with burst attacks of varying durations (between two and 50 seconds long) and intervals of between five and 15 minutes. In addition, they are often combined with more standard DDoS attacks to cause maximum confusion and disruption. Bursts of data generated by hacked devices could also be thrown into the mix.

How common are burst attacks?

Generally, DDoS attacks are on the rise – up 172 per cent in 2016 – but burst attacks are also increasing rapidly. In 2017, 42 per cent of research respondents reported coming under fire from DDoS attacks in short repeating bursts. Cisco’s report claims the increase of DDoS-for-hire services weaponising IoT devices is a reason for the rise in burst attacks.

Sounds nasty. How can they be stopped?

Traditional approaches to defending against DDoS attacks include manually creating signatures to block attack traffic. However, if the vector changes, as is the case with burst attacks coming from different locations and using different kinds of network traffic, the signature needs to adapt continually.

Instead, security and load-balancing company Radware suggests a two-pronged approach. Firstly, adopt a behavioural DDoS protection system that uses machine learning algorithms to identify burst attack patterns.

Secondly, use a solution that measures the degree-of-attack (DoA) surface. If an attack rates high in both the bandwidth or rate and represents a high percentage of the overall distribution of traffic, then a burst attack is likely.

Better securing devices that connect into networks and cloud-based services is another prudent step organisations should take, as it would reduce the number of routes burst attacks can take to hit their desired targets.

While these devices can be made more secure, there is still a high probability that they will be hacked, making it crucial that organisations pay close attention to the devices being introduced and how they interact with the internet and their networks, if they are to avoid a rush of compromises, including burst attacks.