There has been a steady but dramatic increase in the potency of distributed denial of service (DDoS) attacks from the beginning of 2013 through the first two months of this year. In large part, reason for this rise in volume has to do with the widespread adoption of two attack methods: large synchronization packet flood (SYN flood) attacks and network timing protocol (NTP) amplification attacks.
According to an Incapsula report tracking the DDoS threat landscape during this 14-month period of time, the largest such attacks in February 2013 were delivering traffic at a rate of four gigabytes per second (Gbps). By July 2013, 60 Gbps and larger DDoS attacks had become a weekly occurrence. In February of 2014, Incapsula reports having witnessed one NTP amplification attack peaking at 180 Gbps. Other reports have found the volume of NTP amplification attacks as high as 400 Gbps.
“As early as February 2013 we were able to track down a single source 4Gbps attacking server, which – if amplified – could alone have generated over 200Gbps in attack traffic,” the report claims. “With such available resources it is easy to explain the uptick in attack volume we saw over the course of the year.”
At present, large scale DDoS attacks, which Incapsula defines as those of 20 Gbps and more, account for more nearly one-third of all attacks. Attackers are able to achieve these high volumes by launching large SYN floods and DNS and NTP amplification attacks.
A new entrant to the DDoS landscape is a technique called “hit and run” DDoS attacks. These attacks first emerged in April 2013, and, according to Incapsula, target human-controlled DDoS protections by exploiting weaknesses in services that are supposed to be manually triggered, like generic routing encapsulation tunneling and domain name server re-routing.
Not only is each classification of DDoS attack becoming more potent, but 81 percent of attacks exploit multiple vectors.
“Multivector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources,” Incapsula claims. “Combinations of different offensive techniques are also often used to create ‘smokescreen’ effects, where one attack is used to create noise, diverting attention from another attack vector.” Furthermore, multivector attacks can be used for trial and error style reconnaissance as well.
The most commonly deployed attacks are a combination of two types of SYN floods – one deploying regular SYN packets and another using large SYN (above 250 bytes) packets.
“In this scenario, both attacks are executed at the same time, with the regular SYN packets used to exhaust server resources (e.g., CPU) and large SYN packets used to cause network saturation,” they say. “Today SYN combo attacks account for ~75% of all large scale network DDoS events (attacks peaking above 20Gbps). Overall, large SYN attacks are also the single most commonly used attack vector, accounting for 26% of all network DDoS events.”
However, in February 2014, NTP amplification attacks surpassed all others as the most commonly seen form of DDoS. This may be the beginning of a new trend or merely a temporary spike, but as the report notes, it is too early to tell.