Distributed denial of service (DDoS) attacks are on the rise. According to the Nexusguard Q2 2020 Threat Report, overall DDoS attacks increased by 515% year over year. And ‘bit-and-piece’ style attacks were up 570% compared to the same period last year.
So how can you deceive bit-and-piece DDoS threats?
This is a challenge, especially now, as this new favorite tactic of DDoS hackers puts pressure on network security teams.
Bit-and-piece attacks – needles in a stack of needles
Bit-and-piece style attacks allow attackers to deliver longer, more persistent attacks. When using this method, attackers feed smaller doses of malicious traffic within a larger pool of IP addresses. The Nexusguard report points out that this approach is then amplified when attackers use bit-and-piece tactics across multiple attack vectors to launch a wider range of UDP based attacks.
This strategy makes the carrier’s already difficult job even tougher. As they attempt to find a small set of offending IPs and malicious, distributed patterns, traffic flows seem normal. Nexusguard concludes that, “Traditional threshold-based detection and mitigation is no longer reliable nor effective.” As such, the challenge rolls downstream to network security teams to do two things:
- Reduce the attack surface and
- Defend against these attacks.
Fight deception with deception
Clearly, bit-and-piece attacks are becoming ‘more complex and deceptive’ according to Nexusguard. The opportunity here is for security teams to harness the power of deception to their advantage. These DDoS trends remind us how we desperately need a better way to draw out and identify threats, especially at the network edge. Both threats and networks are increasingly more dynamic, but the traditional perimeter defense tool – the firewall – remains pretty static and passive.
PacketViper’s Deception360 solution supports an active, deception-based perimeter defense use case that complements a dynamic layered defense approach. Perimeter facing deception can very effectively help prevent DDoS attacks and specifically, bit and piece attacks.
The way this works is through deploying decoys inline, at the network edge, to proactively find threats through real-time deep learning. Malicious IPs hit decoys, are quickly identified and can be automatically mitigated. This can all happen without any complex orchestrations. The automated nature of the solution can incapacitate the threats before they get on the network, eliminating their ability to do harm. Furthermore, external-facing Deception360 decoys can be rotated to create the appearance of a moving target, This obfuscates the network, and makes it much harder to size up during reconnaissance.
This perimeter deception use case also takes up to 70% of the load off of downstream security solutions, prolongs costly and disruptive “rip and replace” plans, and reduces overall security costs