Arbor Networks, a provider of distributed denial-of-service (DDoS) and advanced threat protection solutions for enterprise and service provider networks, has released its Q1 2015 global DDoS attack data. The data shows a continuation of extremely high volume attacks, including the largest attack ever detected by Arbor’s ATLAS threat intelligence infrastructure, a 334Gbps attack targeting a network operator Asia. In Q1 2015, there were 25 attacks larger than 100Gbps globally.
In the past year, Arbor has documented a dramatic increase in DDoS activity. The majority of recent very large attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery
Protocol (SSDP) and DNS servers, with a number of significant attacks being detected all around the world.
Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. This technique relies on two unfortunate realities: firstly, many service providers still do not implement filters at the edge of their network to block traffic with a “forged” (spoofed) source IP address; secondly, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated.
Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, points out that end users/ subscribers, e-commerce operations, and government and gaming services, in that order, were the top DDoS targets at the end of last year. “We are seeing a continuous increase in extortion activities. A noticeable change is that ideological hacktivism has been knocked off its top spot and given way to vandalism and online gaming related attacks,” he adds.
Arbor’s data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects statistics that represent 120Tbps of Internet traffic and provides the data for the Digital Attack Map, a visualisation of global attack traffic created in collaboration with Google Ideas.
Other global Q1 2015 DDoS attack stats of note include:
* An example of how attackers are constantly changing their techniques, SSDP reflection attacks are up dramatically year-over-year: 126,000 monitored in Q1 2015 versus three reported in Q1 2014; and
* Attacks are shorter but pack a punch: Majority of attacks are short-lived, approximately 90% last less than one hour.
“Attacks that are significantly above the 200Gbps level can be extremely dangerous for network operators and can cause collateral damage across service provider, cloud hosting and enterprise networks,” says Darren Anstee, director, Solutions Architects, for Arbor Networks.
“DDoS attacks continue to evolve. Not only have volumetric attacks grown significantly in size and frequency over the past 18 months, application-layer attackers are also still pervasive. In order to deal with the full scope of the modern DDoS threat, we strongly recommend a multi-layered defence, one that integrates on-premise protection against application-layer attacks with cloud-based protection against higher magnitude volumetric attacks. Only then is an organisation fully protected from DDoS attacks today.”