High-Volume, High-Rate DDoS Attacks Persist

A new report illustrates the continued proliferation of both high-volume and high-rate distributed denial of service attacks, like the ones executed via NTP amplification, over the last few months.

As expected, the numbers back up the continued proliferation of both high-volume and high-rate distributed denial of service attacks – like the ones executed via NTP amplification – over the last few months.

NSFOCUS, a security firm that measures DDoS traffic, released its Mid-Year Threat Report today, outlining a sustained increase in shorter, stronger attacks.

Over 50 percent of attacks the firm has monitored so far in 2014 have been above 0.2 million packets per second, up from 16 percent during the tail end of 2013.

Five percent of attacks NSFOCUS observed reached volumes in excess of 4 Gbps, a la the attacks that brought down servers at Network Time Protocol (NTP) and Cloudflare earlier this year.

The five percent figure is a far cry from the 0.9 percent of attacks it saw with those volumes in the second half of 2013 and clearly shows how much bigger, more damaging DDoS attacks are on the rise.

A rise in traffic rate, naturally, coincided with the rise in volume.

According to the firm, a third of attacks from January to June peaked over 500 Mbps in volume, a big uptick from 2013 when the majority of traffic, 90 percent, clocked in under 500 Mbps.

“The ongoing trends in the duration and the size of the attack traffic can most likely be attributed to a variety of elements including technological developments, network environment evolution and changes in the pattern of DDoS for profit,” Terence Chong, a Solutions Architect at the company said about the DDoS shifts this week.

While the bulk of distributed denial of service attacks observed in the first half of 2014 lasted under 30 minutes – a number that’s remained stable since last year – interestingly enough, one managed to last a staggering 228 hours, or 9 straight days.

Three DDoS techniques, HTTPS Flood, TCP Flood, and DNS Flood, remained the favorite type of attacks for criminals. The three combined to comprise 87 percent of all attacks, yet DNS Flood reigned supreme at 42 percent.

For the most part the numbers complement those published by network security firm Arbor Networks, earlier this summer. In July Arbor discovered that that there had been more than 100 attacks of 100 Gbps or more in the first half of this year and credited that stat to attackers taking advantage of NTP.

While Arbor gathers its traffic statistics from nearly 300 ISPs, NSFOCUS claims its statistics come from its Threat Response and Research division, its network operation centers and its Managed Security Service.

85 percent of attacks of 100 Gbps plus in the first three months this year were NTP reflection attacks, a figure that makes sense when you realize that at the time US-CERT had to issue an advisory to warn enterprises about them

That number eventually dropped off drastically, once the weakness was addressed, at the end of March.

Suggested articles