DDoS attack size up 73% from 2015
Distributed denial of service attacks continue to be popular with attackers, increasing in size, complexity and frequency in the first half of 2016, according to the latest global report by Arbor Networks
The most powerful distributed denial of service (DDoS) attack in the first half of 2016 was 579 gigabits per second (Gbps), according to the latest global report from Arbor Networks.
This represents a 73% increase from the largest attack recorded in 2015 by Arbor Networks, the security division of Netscout.
The report shows not only an increase in the size of DDoS attacks, but also an increase in frequency, based on data gathered from Atlas, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor to gain a comprehensive, aggregated view of global traffic and threats.
DDoS remains a common attack type due to the easy availability of free tools and inexpensive online services that enable anyone with a grievance and an internet connection to launch an attack.
This has led to an increase in the frequency, size and complexity of attacks in recent years, the report said, with an average of 124,000 DDoS attacks a week in the past 18 months.
In the past six months, Atlas recorded 274 attacks over 100Gbps, compared with 223 in all of 2015, and 46 attacks over 200Gbps compared with 16 in all of 2015.
The UK, the US and France are the top targets for attacks over 10Gbps, the report said.
But as Arbor’s researchers reported in June, large DDoS attacks no longer require the use of reflection amplification techniques.
An internet of things (IoT) LizardStresser botnet was used to launch attacks as large as 400Gbps, targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions.
According to the researchers, the attack packets do not appear to be from spoofed source addresses, which means the traffic originates from the source addresses in the packets without amplification relying on the user datagram protocol (UDP), such as the network time protocol (NTP) or the simple network management protocol (SNMP).
However, reflection amplification allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. Consequently, most recent large attacks used this technique, exploiting domain name system (DNS) servers, NTP and simple service discovery protocol (SSDP), the report said.
As a result, in the past six months, DNS was the most prevalent protocol, taking over from NTP and SSDP in 2015. The average size of DNS reflection amplification attacks grew strongly, and the peak monitored reflection amplification attack size was 480Gbps.
The report also highlights the fact that even attacks that bombard targeted websites and networks at a rate of only 1Gbps can be enough to take most organisations completely off line.
In the first half of 2016, the average attack size was 986Mbps, a 30% increase over 2015, and the average attack size is projected to be 1.15Gbps by end of 2016.
“The data demonstrates the need for hybrid, or multi-layer DDoS defence,” said Darren Anstee, chief security technologist at Arbor Networks.
“High bandwidth attacks can only be mitigated in the cloud, away from the intended target,” he said. “However, despite massive growth in attack size at the top end, 80% of all attacks are still less than 1Gbps and 90% last less than one hour.”
According to Anstee, on-premise protection provides the rapid reaction needed and is key against “low and slow” application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls.