Global DDoS attack data for the second quarter shows strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective.
That’s according to Arbor Networks, which found that the largest attack monitored in Q2 was a 196Gbps UDP flood, which it characterized as a large, but no longer uncommon, attack size.
The average attack sizes for DNS, NTP, SSDP and Chargen reflection amplification attacks all increased in Q2 2015. About one-fifth (21%) of all attacks topped 1Gbps, while the most growth was seen in the 2-10Gbps range. However, there was also a significant spike in the number of attacks in the 50-100Gbps range in June, mainly SYN floods targeting destinations in the US and Canada.
“Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world,” said Arbor Networks chief security technologist, Darren Anstee. “Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the Internet connectivity of many businesses it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place. ”
Arbor’s data is gathered through its Active Threat Level Analysis System, or ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor to form an aggregated view of global traffic and threats, collected at 120 terabits per second.
ATLAS shows that a majority of very large volumetric attacks leverage a reflection amplification technique using Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world.
Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. This technique relies on two unfortunate realities: first, many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address; second, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated.
There is some evidence that the storm of reflection amplification attacks utilizing SSDP might be abating slightly, with 84,000 tracked in Q2 (similar to the Q4 level) down from 126,000 in Q1.
Other interesting data points include the fact that 50% of reflection attacks in Q2 targeted UDP port 80 (HTTP/U). And, the average duration of a reflection attack was 20 minutes in Q2 (vs. 19 minutes in Q1).