Average DDoS Attack Size on Rise

Thursday, July 23, 2015 @ 05:07 PM gHale

There is growth in the average size of distributed denial of service (DDoS) attacks, a new report said.

That growth comes in the bits-per-second and packets-per-second areas, said researchers from Arbor Networks.

Confidence, Fear Co-Exist in Security
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem

The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. While there are always big attacks, the concerning area is the growth in the average attack size.

In Q2, 21 percent of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range. However, there was also a significant spike in the number of attacks in the 50 – 100GB/sec range in June, mainly SYN Floods targeting destinations in the U.S. and Canada.

“Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world,” said Arbor Networks Chief Security Technologist Darren Anstee. “Companies need to clearly define their business risk when it comes to DDoS.”

Reflection amplification is a technique that allows an attacker to magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic.

This technique relies on two unfortunate realities: One is service providers still do not implement filters at the edge of their network to block traffic. The second is there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the generated response.

The majority of large volumetric attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks detected across the globe.
• There is some evidence the storm of reflection amplification attacks utilizing SSDP might be abating slightly, with 84,000 tracked in Q2 (similar to the Q4 level) down from 126,000 in Q1.
• Average attack sizes for DNS, NTP, SSDP and Chargen reflection amplification attacks all increased in Q2 2015.
• 50 percent of reflection attacks in Q2 targeted UDP port 80 (HTTP/U)
• Average duration of a reflection attack was 20 mins in Q2 (19 mins in Q1).

Click here to view the report.