Arbor Networks, the security division of NETSCOUT, today released global DDoS attack data for the first six months of 2016, which show a continuous increase in both the size and frequency of attacks.
Arbor data is collected via ATLASâ˘, a collaboration with more than 330 service provider customers who share anonymized traffic data with Arbor to provide a comprehensive, aggregated view of global traffic and threats. ATLAS provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas. ATLAS data has also been recently used in Ciscoâs Visual Networking Index Report and Verizonâs Data Breach Incident Report.
GLOBAL DDoS ACTIVITY
DDoS attacks continue to be used frequently, taking advantage of the immediate availability of free tools and low-cost online services that allow anyone with a grievance and an internet connection to launch an attack. This has led to an increase in both the frequency and size and complexity of attacks in recent years.
- ATLAS has registered an average of 124,000 events per week over the past 18 months.
- A 73% increase in the maximum attack size compared to 2015, reaching 579Gbps.
- 274 attacks exceeding 100Gbps were detected in the first half of 2016, compared to 223 registered in all of 2015.
- 46 attacks exceeding 200Gbps were detected in the first half of 2016, compared to 16 registered in all of 2015.
- The USA, France, and Great Britain are the main targets of attacks exceeding 10Gbps.
Arborâs Security Engineering & Research Team (ASERT) recently demonstrated that large DDoS attacks do not require the use of reflection/amplification techniques. LizardStresser, an IoT botnet, was used to launch attacks reaching 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs, and government institutions. According to ASERT, the attack packets do not appear to originate from spoofed source addresses â and no UDP protocol with amplification, such as NTP or SNMP, was used.
WHEN AVERAGE IS A PROBLEM
A 1Gbps DDoS attack is sufficient to take most organizations offline.
- The average attack size in the first half of 2016 was 986Mbps, an increase of 30% compared to 2015.
- By the end of 2016, an average attack size of 1.15Gbps is predicted.
âThe data demonstrates the need for hybrid or multi-layered DDoS defense systems,â said Darren Anstee, Arbor Networksâ Chief Security Technologist. âHigh-bandwidth attacks can only be mitigated in the cloud, away from the intended targets. However, despite the sharp growth in the size of the most significant attacks, 80% of them are still under 1Gbps and 90% last less than an hour. On-premise protection ensures the necessary rapid response and is key against âlow and slowâ application-level attacks and state-exhaustion attacks targeting infrastructure like firewalls and IPS.â
A TIME FOR REFLECTION
Reflection/amplification is a technique that allows attackers to both amplify the amount of traffic generated and obscure the original source of that attack traffic. As a result, most large recent attacks utilize this technique via DNS, Network Time Protocol (NTP), Chargen, and Simple Service Discovering Protocol (SSDP) servers. Consequently, in the first half of 2016:
- DNS is the most commonly used protocol in 2016, having replaced NTP and SSDP in 2015.
- The average size of DNS reflection/amplification attacks is growing considerably.
- The maximum size of reflection/amplification attacks detected in 2016 was 480Gbps (DNS).
Be the first to comment