On Wed, Dec 8, 2010 at 8:47 AM, Jay Coley <jay@prolexic.com> wrote:
On 08/12/2010 16:14, Drew Weaver wrote:
I would say that > 99% of the attacks that we see are 'link fillers' with < 1% being an application attack.
thanks, -Drew
This has been our recent experience as well. There are some pure app attacks, to be sure, but we many blended attacks also. Bandwidth (UDP/ICMP/SYN Flood) attack to distract with a app attack (GET/PUSH floods) attempting to run underneath the radar. We regularly see SYN floods these days > 20 Gb/s.
Another thing to be aware of--when you get hit with what seems to be a "simple" flooding attack aimed at one point of your infrastructure... start checking your logs at _other_ places in your network very, VERY carefully. There seems to be a trend of using larger-scale flooding, or other simple types of attacks to get all the network people at an organization rushing over to throw resources and energy at it...while the real target of the attack is something completely different, on a different subnet, in a different part of the company; and that attack is small, carefully focused at its target, and is designed to be relatively quiet. The "big" attack is used simply to ensure all the human energy is focused on the wrong place, increasing the chance that what otherwise might caused raised eyebrows and double-checking of logs/IDS alerts, etc. gets missed while everyone is focusing on the"big" attack.
The thing to bear in mind is that app attacks *are* difficult to detect as they are low bandwidth and make a full TCP connection. As a result many IDS/Firewalls etc regularly miss these attacks.
Lastly there is usually always someone at the other end of these attacks watching what is working and what is not. If the attack doesn't work they will simply round up more bots to increase the attack bandwidth or change the attack vector.
And, in what seems to be an increasing trend, what they are watching for is *not* necessarily the result of the large botnet attack; they're checking on the results of their targeted probes elsewhere in the network, or on the outbound set of connections from a compromised machine within an organization; after all, during a huge DDoS attack, with everyone focusing on a set of uplinks being flooded with _inbound_ traffic, who is going to notice the (relatively smaller) outbound spike of traffic as the compromised machine sends out a copy of your internal intellectual property to the miscreant recipients? Matt (speaking purely hypothetically, of course, and definitely not on behalf of any institution or entity other than myself)