Arbor Networks: Average DDoS Attack Size Increasing

By Peter Bernstein July 21, 2015

Data breaches probably rightfully get the headlines. However, it is hard to argue that in terms of damage to business “in-the-moment” and potentially longer term, Distributed Denial of Service (DDoS) attacks remain a major bane of IT departments. And, while DDoS attacks come in many flavors and the motives of those with malicious intent for perpetrating such attacks is varied as well, the basics are the same.  

A DDoS is an explicit attempt by attackers to prevent legitimate users of an online service from accessing that service. They do so by flooding service hosts and resources with the goal of crippling them temporarily or crashing them indefinitely. The reason they are called “distributed” is in instances where the attack source is from more than one, typically thousands, of IP addresses. This is done in order to protect the bad guys from getting caught. It should also be noted that like earthquakes, the magnitude of the damage is a function of the size and duration of the disturbance.

Burlington, Massachusetts-based Arbor Networks is a leading provider of DDoS and advanced threat protection solutions. The good news is that as a company with a vast amount of information about DDoS attacks, it is always useful to take a look when they release reports on what they are seeing. The not-so-good news is that the company’s recently released Q2 2015 global DDoS attack data shows “strong growth in the average size of distributed denial-of-service (DDoS) attacks, from both a bits-per-second and packets-per-second perspective.”

As the company explains, its data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects 120TB/sec of Internet traffic and is the source of data for the Digital Attack Map, a visualization of global DDoS attacks created in collaboration with Google Ideas.

The trend is not our friend

Speaking of visualization, Arbor in releasing the latest results from ATLAS provided the graphic below.

Source: Arbor Networks, Q2 2015 global DDoS attack data

The charts tell a tale for concern. Arbor says that the “Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the Internet connectivity of many businesses, it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place.”

largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. They add that, “Of most concern to enterprise networks is the growth in the average attack size. In Q2, 21 percent of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range.” In addition, there was also a significant spike in the number of attacks in the 50-100GB/sec range in June, mainly SYN Floods targeting destinations in the U.S. and Canada.

“Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world,” said Arbor Networks Chief Security Technologist Darren Anstee. “Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the Internet connectivity of many businesses, it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place. ”

Getting more bang for the badness

Image via Shutterstock

In addition to the information above, as part of the release of its findings, Arbor also goes into some details as to a technique that only makes matters worse. Know as Reflection Amplification Attacks, they use a technique that allows an attacker to magnify the amount of traffic they can generate. But they also reflect the sophistication of attackers, as reflection attacks have the added malicious benefit of doing a better job of obfuscating attack traffic sources.

Here is what Arbor has to say about the growth in the use of reflection amplification attacks: “This technique relies on two unfortunate realities: firstly, many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address; secondly, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated. The majority of very large volumetric attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world.”

In terms of some numbers about these attacks, the findings include:

  • There is some evidence that the storm of reflection amplification attacks utilizing SSDP might be abating slightly, with 84,000 tracked in Q2 (similar to the Q4 level) down from 126,000 in Q1 2015.
  • The average attack sizes for DNS, NTP, SSDP and Chargen reflection amplification attacks all increased in Q2 2015.
  • 50 percent of reflection attacks in Q2 targeted UDP port 80 (HTTP/U).
  • Average duration of a reflection attack was 20 minutes in Q2 (19 minutes in Q1).

Part of the takeaway from this is that merely following best practices can mitigate the risks of being compromised by a DDoS attack.  However, best practices are no longer sufficient. Indeed, as the data indicates, those with malice are upping the ante; seeing, mitigating or hopefully preventing DDoS from causing havoc with your business is a priority. Having the best tools for being more alert and responsive before, during and after an assault on your network resources and services is now table stakes for deterring bad guys from considering your company easy prey. 

One thing we know about these types of attacks, and the reason to watch the data about them, is that if they can be prevented or do not work as expected once unleashed, bad actors will look elsewhere or devise new means for your organization offline. Again, unfortunately, we also know that if a little bit of something causes pain then finding ways to increase the dosage to inflict more pain is going to be a priority.  And, while the quantification of the damage done is not part of this particular report, other analyses speak to the hundreds of millions of dollars that can be lost with just a short period of being offline. 




Edited by Dominick Sorrentino
SHARE THIS ARTICLE
Related Articles

Pai Makes His Case for Title II Repeal

By: Paula Bernier    11/21/2017

FCC Chairman Ajit Pai today made clear his plans to repeal Title II net neutrality rules. The commission is expected to pass his proposal at its Dec. …

Read More

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More