Although the average size of a given DDoS attack is going down, the number of attacks at the upper end of the scale is increasing, with researchers at Arbor Networks reporting more than 100 attacks of 100 Gbps in the first half of this year.
In order for a DDoS attack to be effective, bad guys used to need hundreds or even thousands of compromised machines to throw relatively large amounts of traffic at a target. But now, with high-bandwidth connections available to many home Internet users, attackers can generate huge traffic volumes with a much smaller number of bots and can completely overwhelm many targets. Arbor’s research shows that the number of DDoS attacks that peak at high traffic volumes of more than 100 Gbps is continuing to grow.
In the first half of 2014, the company recorded 111 attacks that broke the 100 Gbps barrier, a kind of attack that was rare until just a few years ago. The data, which comes from traffic statistics shared in real time from nearly 300 ISPs, also shows that in the second quarter alone there were more than twice the number of attacks of 20 Gbps-plus than in all of 2013, 5733 attacks compared to 2573 in all of 2013.
One of the reasons that these high-volume attacks have been on the rise, Arbor said, is that attackers have been taking advantage of NTP (Network Time Protocol) servers and open DNS resolvers to amplify their attacks. NTP servers are meant to be used as public resources to synchronize the time on various computers. One of their functions is that they will respond to a specific query by returning a list of the last 600 IP addresses to query a given NTP server. Attackers can amplify their DDoS attacks by spoofing a target’s IP address and querying the NTP servers repeatedly, returning large volumes of traffic to the target server.
NTP amplification attacks have developed into a serious problem, with Arbor finding that 85 percent of attacks of more than 100 Gbps in the first quarter were NTP reflection attacks. In the second quarter, NTP attacks fell, though, accounting for 49 percent of the largest DDoS attacks.
As the top end of the attack scale continues to grow, the duration of DDoS attacks at that scale is also going up. In the second quarter of 2014, the duration of the average attack over 20 Gbps rose to 98 minutes, up from 54 minutes in the first three months of the year. In terms of attack sources, South Korea was responsible for 15 percent, while the United States was the source of 14 percent of DDoS attacks that Arbor customers recorded.