Reflected distributed denial of service (DDoS) attacks continue to increase, particularly among large scale DDoS events, but it’s a relatively new type of amplification attack which exploits the Simple Service Directory Protocol (SSDP) that has emerged in a new Arbor Networks report.

Data from the report reflects attacks monitored in the third quarter. In addition to SSDP reflection attacks, DDoS attacks exploiting vulnerable Network Time Protocol (NTP) servers remain relevant as well, despite decreasing in frequency.

The report concludes that large-scale DDoS attacks are increasing in frequency, a finding that corroborates the research published in NSFOCUS’s recent DDoS report and elaborates on the data revealed in Arbor Networks’ previous report.

Reflection attacks are those in which an adversary forges its victim’s Internet protocol addresses in order to establish the victim’s systems as the source of a bevy of requests sent to a massive number of machines. The recipients of those requests then issue an overwhelming flood of responses back to the victim’s network, ultimately crashing that network if the attack is a successful one. Thus the method offers a relatively simple way of amplifying the efficacy of DDoS attacks.

SSDP reflection attacks have burst onto the scene, increasing at a more rapid rate than any other type of attack. Meanwhile, the better known, NTP reflection attacks are trending downward. SSDP is a network protocol that seeks out the presence of IP addresses for the purpose of finding universal plug and play devices.

SSDP reflection accounted for nine percent of all DDoS attacks in the month of September. For attacks of more than 10 Gbps, SSDP reflection accounted for 42 percent of attacks in that month.

In all, SSDP attacks occurred 33,000 times in Q3, though there is no qualifier for that figure because Arbor Networks was only monitoring the method on a limited basis in Q2.

“Arbor monitored very few attacks using SSDP as a reflection mechanism in Q2, but nearly 30,000 attacks with this source port in Q3 alone, with one such attack reaching 124Gbps. The data confirms what Arbor has called The Hockey Stick Era, with a continuing trend towards large volumetric attacks, a consistent theme throughout 2014.”

Like NTP reflections, attackers exploit SSDP-enabled servers because the protocol’s intended use can be easily adapted to substantial amplify the volume of a standard DDoS attack without requiring extreme computing resources. As it stands, the maintainer of such servers are doing little to prevent such attacks.

“Everyone is aware of the huge storm of NTP reflection DDoS attacks in Q1 and early Q2, but although NTP reflection is still significant there isn’t as much going on now as there was – unfortunately, it is looking more and more like SSDP will be the next protocol to be exploited in this way,” explains Arbor Networks Darren Anstee. “Organizations should take heed and ensure that their DDoS defense is multi-layered, and designed to deal with both attacks that can saturate their connectivity, and more stealthy, sophisticated application layer attacks.”

On the point of NTP reflection and amplification, these attacks remain significant. Following their explosion in the first quarter, they have been trending downward. However, NTP reflection continues account for greater than more than 50 percent of the biggest attacks, those registering more than 100 Gbps.

Considering the continued relevance of NTP attacks and the sudden emergence of SSDP attacks, it should come as little surprise that high-volume attacks are more commonplace than ever, with 133 attacks of 100Gbps or more this year and 16.5 percent of all attacks clocking in above 1 Gbps. That’s a 1.2 percent increase from the previous quarter. The largest attack peaked at fewer than 265 Gbps. On average, DDoS attacks constituted 859 Mbps.

Events also appear to be getting longer, as the number of events lasting longer than an hour has increased to 91.2 percent of attacks. Among attacks larger than 10 Gbps, the U.S., China and Brazil are the most common targets, accounting for 7.6 percent, 5.9 percent and 1.1 percent respectively. U.S., France and Denmark take in more 100 Gbps or larger attacks than any other nations, accounting for 17.6 percent, 10.8 percent and 8.4 percent of those attacks.

Categories: Vulnerabilities, Web Security

Comments (3)

    • Brian Donohue
      2

      The intent is somewhat clear: to cause downtime. It is possible that the downtime is cover for a more direct attack on IP or other valuable data. Sources, of course, are hard to come by. I’ll see if there is anything about sources that I may have overlooked in the report later on today.

  1. Mark
    3

    My question is: why haven’t ISPs implemented egress filters yet en masse? It would be very simple to just blackhole traffic claiming to be from an IP address that is not owned by the originating network, in effect preventing spoofed source IPs (and reflection/aplification attacks as a result).

Comments are closed.