Wide reporting of these attacks has it’s benefits, but there is a mismatch between coverage and prevalence of these attacks. Why? These figures are really fun to talk about, and generate lots of interest. High severity attacks will always get more attention, even if they are statistically unlikely to affect your organization. These threats, while catastrophic, are probably not the basis around which you should build your security infrastructure. Imagine if you read an article that says ‘Falling coconuts kill about 150 people per year’. Thats horrible, but unless you work in the coconut industry, you probably shouldn’t spend your budget on coconut proof helmets just yet. We often focus on the scary trends instead of the likelihood of a given threat.
Here at Baffin Bay Networks, the average DDoS attack we see in the SOC is about 3-5 Gbps. Is that enough to take the average unprotected network offline? Sure, but consider this — according to this ENISA report, 53% of (reported) DDoS attacks are combined with other attack types, like exploiting a vulnerability in your Internet facing servers. The DDoS is being used as a smokescreen to buy the attackers time to achieve their actual objective.
Here is a graph showing Denial of Service Attacks towards one of our customers.
As you can see there aren’t a lot of big, scary attacks happening there. Compare that to the number of Threat Intelligence attacks in the below graph.
This is a fairly low traffic network, but you can clearly see the difference between the number of DoS attacks compared to the number of other types of malicious actors we are stopping with threat intelligence. When we look at Web Application attacks, or other events caught in our DPI platform, we also see significantly more events. These types of attacks are vastly more prevalent than gigantic DDoS Attacks.
Soon, I expect to see an attack over 2Tbps. When attacks get that large, we will start to see failures in Internet infrastructures. ISPs and Transit providers will start to break down, and fixing those will be out of your hands. The most important DDoS attacks, the ones you should be focusing your limited resources on, are really the ones between 1 to 100Gbps. These are the DDoS attacks that are most likely to impact your organisation, yet aren’t so large that they make headlines or threaten a transit providers network.
This is why we built Riverview with multi-function protection. Detecting attacks like malware, exploit attempts, and the OWASP Top 10 in addition to Denial of Service attacks both in Layer 3/4 and in Layer 7. Riverview focuses on, not only those unlikely events, but also delivers continuous protection against the threats you are seeing every day.
Most companies have a limited security budget, allocating that towards things that are most likely, is the smart choice.