Multi-vector DDoS attacks are when an attacker quickly shifts from launching one kind of DDoS attack to another to another. Chaining together different forms of DDoS attack has become a popular mode of attack since late 2015, and shows no sign of slowing down.
In Nexusguard’s most recent security report, focused on Q4 2017, multi-vector, blended threats were observed as the main DDoS attack strategy, making up 56% of all recorded attacks. The highest number of combined attack vendors observed was nine; although most multi-vector attacks only combined two vectors (33%) with three vector following at 14%.
The most frequent type of two-vector attack was UDP blended with TCP SYN (20%);
UDP blended with NTP amplification, DNS amplification, DNS, HTTP flood mixed with TCP SYN, respectively, were the next most popular kinds of multi-vector attack. UDP easily generates packets and is fast and cheap, hence its popularity in multi-vector attacks. Its connectionless protocol allowing it to easily spoof IP addresses also makes it a strong choice for launching DDoS attacks via botnets.
Similarly in Verisign’s most recent security report (also focused on Q4 2017), multi-vector attacks were shown to be the norm. 82% of attacks employed multiple attack types. They found that 5+ attack types made up the majority of multi-vector attacks (at 46%). Similarly to Nexusguard, Verisign observed that the majority of attacks were UDP or UDP-based floods.
Multi-vector attacks are either launched one vector at a time, or all in parallel, aiming to confuse an organization’s IT department and make them concentrate all their resources on multiple types of DDoS mitigation providing a cover while the attacker potentially goes after an entirely different part of their infrastructure. Multi-vector attacks typically combine volumetric, stateful exhaustion and application-layer attacks.
In an age in which single-vector attacks are easily purchased, multi-vector attacks also allow a more sophisticated hacker to demonstrate their ease with different attack methods and show off their determination and flexibility with different methodologies that have the potential to cause genuine damage.
In a recent interview with Information Security Media Group, Brian McCann, president of Arbor Networks’ security subsidiary, said, “Volumetric attacks have been growing each year, but the bigger issue is this complex nature of DDoS attacks today.” Application-layer and stateful attacks can take out a company’s firewalls, for instance, leaving them pen to other types of malware intrusion.