DDoS attacks growing faster in size, complexity - Arbor report


The size of distributed denial of service attacks continued to grow at a faster rate than ever last year, and the attacks also were the most common threat experienced by enterprise, government and education IT operations, according to Arbor Networks’ latest Worldwide Infrastructure Security Report.

The 12th annual report, published Tuesday, is based on a survey of 365 internet service providers, as well as enterprise, government and education network operators from around the world, and on internet data from Nov. 2015 through Oct. 2016. Because Arbor provides services to so many large internet providers, it has visibility into about a third of all global internet traffic.

Distributed denial-of-service, or DDoS, attacks are at one level the most basic kind of cyberattack — compromised devices, like personal computers infected by a virus, are marshaled into huge robot networks or botnets, and flood the targeted website or other system with junk data, slowing real traffic to a crawl or stopping it altogether.

End-user subscribers were the most-common type of customer targeted, but among vertical markets, the education sector trailed only government, financial, hosting, eCommerce and gaming networks as the most-frequently targeted, and was targeted more frequently than law enforcement, healthcare, energy/utilities, gambling and manufacturing sectors.

The largest attack seen during the period covered in the report aimed 800 gigabits per second, or GbPS, of data at the target — a 60 percent increase over the largest attack from the prior year. Since Arbor first began producing the report in 2005, maximum DDoS attack size has grown at a compound annual growth rate of 44 percent. But in the past five years, since 2011, that rate has been 68 percent, the company said in a release, as reported by our sister publication, CyberScoop.

The report says the massive growth in attack size has been driven by two factors. Firstly, “the emergence and weaponization” of botnets based on compromised IoT devices or home routers, rather than computers; and secondly the increased use of “reflection amplification” by attackers. Reflection amplification leverages internet infrastructure like the domain name system or the network time protocol “to multiply attack traffic by hundreds of times, while hiding the original source.”

In a reflection attack, an attacker can “send 1GbPS of initial traffic, [and] 100 GbPS is delivered to the target.”

As the frequency of attacks rises, “the chances of being hit by a DDoS attack have never been higher,” states the report.

Fifty-three percent of service providers said they are seeing more than 21 attacks per month — up from 44 percent in the prior year. Frequency grew much faster for other sectors. Twenty-one percent of data center respondents see more than 50 attacks per month versus only 8 percent last year, for instance.

Also rising: complexity. While the basic DDoS attack is very straightforward, using internet traffic to overwhelm web-facing servers; there are other forms of DDoS that can be aimed at different aspects of victims’ infrastructures, like the application layer or the connection state tables in firewalls, web application servers, and other infrastructure components. This last kind of attack is called a state-exhaustion or protocol attack.

Read more in CyberScoop.