• Denial of Service



    The Denial of Service pattern consists of attacks intended to compromise the availability of networks and systems. This pattern includes both network and application layer attacks, and is the most common pattern across incidents. However, don’t let its volume concern you, as this is often one of the easiest threats to mitigate effectively.


    14,335 incidents, 4 with confirmed data disclosure

    Denial55 of Service (DoS) is one of those infosec threats that actually can be addressed. This is the one you do something about for an injection of self-empowerment when you’re feeling down about the latest threat du jour that you have no clue how to stop. Admittedly, as we can see in Figure 50 it’s not a small threat. In fact it’s the most common pattern across all incidents.

    But when you look at Figure 51, you’ll notice that the median bits per second (bps) of 1.3 Gbps may be only a bit (no pun intended) more than your home internet connection. Ninety five percent of incidents fell between 13 Mbps and 99 Gbps, an easily mitigatable range. So, sign up for a DoS mitigation service and reward yourself with that cannoli you’ve had your eye on.

  • Figure 50
  • Figure 51
  • Figure 52
  • One reason DDoS attacks aren’t more of a threat is that those mean56 packets have to cross a lot of internet to get to you. Figure 52 covers just how much DDoS is getting blocked at various places, from Internet Service Providers (ISPs) at the start of the trip, to Autonomous System Numbers (ASNs) in the middle, to Content Delivery Networks (CDNs) that your site might sit behind. All have a hand in mitigating the attack. 

    In Figure 53 we take a quick look at a couple of different types of attacks. DoS attacks can be direct (packets come directly from the actor or their botnets) or reflected (actor sends packets to a vulnerable service that then reflects the packets to the victim). They can also be intended for resource exhaustion (send packets that cause abnormal load on memory or processing) or volumetric (lots and lots of packets). What we see is that there aren’t many differences between the different attack types (and frankly, a single DDoS attack57 can use multiple).

    We bounce back and forth a bit between packets per second (PPS) and bits per second (BPS). We do so largely based on the data we have available, but in case that is what’s keeping you up at night right now, we’d like to put your fears to rest.58 For any given packet type, (and there are several), there’s a fixed range of how many bytes you can expect in the packet. You can see that in the linear nature of Figure 54. And so, whether we’re using BPS or PPS, the conclusions are still the same.

  • Figure 53
  • Figure 54
  • Figure 55 gives you an idea of the equality in DDoS packets per second. It shows that for the majority of organizations, the data is pretty spikey. Figure 56 shows predictions of a Recurrent Neural Network (RNN) trained on 450,000 DDoS attacks. All it does is predict the average DDoS timing and fails if the DDoS is anything but average. Don’t spend your time worrying about predicting the next DDoS. You can’t predict it. Hire a service to handle it for you and it’s cannoli time.

  • Figure 55
  • Figure 56
  • 55 It’s not just a river in Egypt, Harry.

    56 Malevolent mean, not average mean.

    57 In fact, what is a DDoS attack really? Does it start with the first packet and end with the last? How would we know? What if it’s a different botnet at the same time? Or if it stops for a few seconds and starts again? Or… or…. When did the DBIR footnotes become the Wikipedia discussion page?

    58 Metaphorically and literally.

Let's get started.