DDoS trends: Bigger, badder but not longer
10Gbps is the new norm, warns Arbor Networks
DDoS attacks once again escalated in both size and frequency during the first six months of 2016.
Netscout's DDoS mitigation arm Arbor Networks warns that attacks greater than 100Gbps are far from uncommon. The security firm has monitored 274 attacks over 100Gbps in the first half of 2016, versus 223 in all of 2015.
The biggest single attack maxed out at an eye-watering 579Gbps, a 73 per cent increase in peak attack size over 2015.
The US, France and the UK are the top targets for attacks over 10Gbps. The average attack size in the first half of 2016 was 986Mbps, a 30 per cent increase over 2015, and enough to knock most organizations completely offline.
"High-bandwidth attacks can only be mitigated in the cloud, away from the intended target," said Darren Anstee, Arbor Networks' chief security technologist.
"However, despite massive growth in attack size at the top end, 80 per cent of all attacks are still less than 1Gbps and 90 per cent last less than one hour. On-premise protection provides the rapid reaction needed and is key against 'low and slow' application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls and IPS."
Contrary to what many techies might believe, large DDoS attacks do not require the use of reflection amplification techniques. LizardStresser, an IoT botnet, was used to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions.
According to ASERT, the attack packets do not appear to be from spoofed source addresses – and no UDP-based amplification protocols such as NTP or SNMP were used.
Reflection amplification is a technique that allows hackers to both magnify the amount of traffic they can generate and obfuscate the original sources of attack traffic. Outside of the LizardStresser example, it's by far the most common means of running a high-volume DDoS attack. Junk traffic is bounced off insecure NTP or DNS servers toward the intended victim.
"DDoS remains a commonly used attack type due to the ready availability of free tools and inexpensive online services that allow anyone with a grievance and an internet connection to launch an attack," Arbor warns. "This has led to an increase in the frequency, size and complexity of attacks in recent years."
Arbor's data is gathered through Active Threat Level Analysis System (ATLAS), a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to collectively benefit from a comprehensive, aggregated view of global traffic and threats. ®