Denial of Service

Please provide the information below to view the online Verizon Data Breach Investigations Report.

Submit View only

Thank you.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Thank you.

You may now close this message and continue to your article.

2024

Summary

Denial of Service attacks can target different points of infrastructure and will manifest themselves in several forms that organizations need to be prepared to handle.

What is the same?

Denial of Service attacks continue to be ubiquitous and the top pattern for incidents.

Frequency		16,843 incidents, 3 with confirmed data disclosure
Threat actors		External (100%) (all incidents)

Data Breach Investigation Report figure 49

Another year, another victory lap to our running champion, Denial of Service. Figure 49 shows this pattern being responsible for more than 50% of incidents analyzed this year.⁸⁶ This pattern has been the most prevalent one for several years now, and you don’t have to think very hard to understand why: Denial of Service attacks are relatively cheap to execute, and it is actually fairly easy for them to be successful,⁸⁷ at least until an organization’s defenses are activated to mitigate them.

Our ongoing analysis of content delivery network (CDN)-monitored, web application-focused Denial of Service attacks shows that even though the median attack size has reduced slightly from 2.2 gigabits per second (Gbps) to 1.6 Gbps, the 97.5th percentile of those attacks⁸⁸ increased to 170 Gbps from the previous high of 124 Gbps. Figure 50 showcases the data and the other percentile break points like the more realistic and grounded 90th percentiles. Those types of attacks are usually short duration, with large volumes—50% of those attacks are less than five minutes long.

However, this year, we would like to try something different: Those precision-targeted attacks are very high volume. It is interesting to see the contrast to the impact of general distributed DoS (DDoS) filtering on the ISP level, where it is necessary to mitigate against a much wider variety of attacks and is prone to collateral damage from the high-volume ones.

Data Breach Investigation Report figure 50

Figures 51 and 52 represent the distribution of both bits per second and packets per second distribution of ISP-level collateral attacks all over the world.⁸⁹ This dataset includes attacks on ISPs themselves; enterprises that paid for DDoS protection from their ISPs; and even individual users with broadband, mobile, wireless or satellite.⁹⁰ It’s clear that these are much smaller in size because the volume for this diverse group would not need to be as big as for enterprises. Those are also longer duration attacks, with the median attack time being around nine minutes.⁹¹ All in all, this class of Denial of Service attacks might be more representative of the challenges a non-e-commerce or heavily extranet service-oriented organization might face.

Additionally, our subject matter experts (SMEs) continue to report the growth of low-volume, persistent attacks on high-interaction services such as Domain Name System (DNS). When you want to take someone off the internet, there is more than one way to peel a potato.⁹²

At the end of the day, our recommendation remains the same as in the previous years. There is relatively minimal setup necessary for a DoS attack to take place, so organizations should consider having some sort of automated or semi-automated protection system to help mitigate those. There is not a lot more to be done than to be prepared for the eventuality of some threat actor wanting to sever you from the internet for a while. To think otherwise is to live in denial.