What if we told you that your mother-in-law won’t be staying at your house for a weekend … because she’ll be staying at your house for a week? Or that your favorite football team didn’t lose a close game … because they got blown out and lost by three touchdowns? Or that you absolutely do not need to lose ten pounds … because you need to lose twenty? You’d probably stop engaging us in conversation. Understandable. But we’re going to have to ask you to pay attention just a little longer.
DDoS attacks on the decline
According to recent reports this past quarter was the second consecutive quarter in which we saw a decline in DDoS attacks, with an overall decline of 15% over the year. Not only that, but of their customers that reported a DDoS attack, only 1 in 6 experienced a subsequent attack, down from 1 in 4.
That all sounds like good news…right? Wrong.
The facts behind the figures
Hopefully by now we’ve Debbie Downer’d you into waiting for the second half of the story, because it’s a doozy. While numbers don’t lie and DDoS attacks are in fact on the decline, it’s not exactly exciting news for internet security.
While the number of overall DDoS attack incidents may be on the way down, what we’ve been seeing over the last two years is a major shift in DDoS scale and sophistication.
Instead of single-vector DDoS attacks designed to overwhelm a website’s resources and take the site offline temporarily or perhaps extort a one-time payment from the website owner, we’re seeing bots that are sophisticated enough to bypass common security measures, multi-vector attacks that are peaking at over 100 Gbps, DDoS attacks that are acting as smokescreens while networks are compromised with malware.
With all of those new threats out there, it’s no surprise that subsequent attacks are becoming less common. Think of it this way: a mugger isn’t going to waste his time and energy slapping you seven times if he can knock you out with one square punch to the face. And these hackers? Not only have they learned how to one-punch, but those punches are nearly nuclear.
What it all means
In the past, DDoS attacks were easy strategies for part-time hackers that were looking to be an annoyance. Minor havoc they could wreak in between rounds of World of Warcraft. While those relatively low-scale attacks that take down a website for a few hours still exist, they are largely not what we’re dealing with anymore.
With industries like online gaming dealing in the billions of dollars, DDoS attacks have become below-the-belt ways for some insidious groups to deal with their rivals, or for professional hackers to steal personal and financial information.
Forget taking down a website, without professional DDoS mitigation protection, a major DDoS attack could shut down an entire company. That’s not even mentioning how many hundreds of millions of users’ personal and financial information is stored in online networks.
Recent attacks on two separate Sony networks were believed to be DDoS smokescreens designed to distract from an intrusion on the networks.
Few week later a DDoS mitigation provider (Incapsula) reported another massive DDoS attack – on another video game company – in which the offenders were also trying to use DDoS to mask similar hacking attempts. In this case, the attack lasted for a record setting 38 days, generating 51,000,000 + Gigabits of malicious traffic.
But video gaming companies are not the only targets. DDoS threats exist across all online industries. No website with any sort of intellectual property, data, e-commerce, customers or competitors is immune.
The next step
If you’re a fervent and possibly delusional optimist, you can certainly sit back and hope that the decline in DDoS attacks somehow leads to a decline in the scale and sophistication of DDoS attacks. But we would recommend not doing that. If we know hackers, and sadly, we do, DDoS attacks may continue to become less common, but that’s because they will only continue to become more effective. Bigger, faster, stronger and more devastating.
Now is not the time to ease up on internet security. If anything, it’s the time to double down on mitigation protection. For the good of your website, your web presence, your data, and your customers. The bottom line is that mitigation protection is essential for your bottom line.