DDoS attacks up in size, speed and complexity, study finds

DDoS attacks continue to be a global threat with a clear increase in attack size, speed and complexity, a study shows

Distributed denial of service (DDoS) attacks continue to be a global threat with a clear increase in attack size, speed and complexity, according to the latest report from Arbor Networks.

Despite the business risks of DDoS attacks, a survey by communications Neustar published earlier this month found that 20% of UK respondents admitted that their companies have no DDoS protection in place.

The study also found that more than one-fifth of UK firms experienced a disruptive distributed denial of service (DDoS) attack in 2012.

According to the new report from Arbor Networks, the average size of DDoS attacks is up 43% so far this year, with 46.5% of attacks now over 1Gbps, a jump of 13.5% from 2012.

Nearly half of all monitored attacks are now above 1Gbps, said the report, which is based on data from the Atlas internet monitoring system.

Atlas (active threat level analysis system) is a collaborative effort with more than 270 service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds.

The proportion of attacks between 2Gbps and 10Gbps more than doubled, from 14.78% to 29.8%, and the proportion of attacks now over 10Gbps increased 41.6%.

According to Arbor Networks, this is the first time average attack sizes are solidly above the 2Gbps mark.

“Massive attacks, like the 300Gbps Spamhaus incident, certainly command attention but the average attack is more relevant for most organisations," Gary Sockrider wrote in the Arbor Insight Blog.

In the first half of 2013, Arbor Networks has seen more than double the total number of attacks over 20Gbps that it saw in the whole of 2012.

According to Darren Anstee, solutions architect for Arbor Networks, there is a daily escalation in the size, frequency and complexity of attacks.

“The resiliency of this attack vector is incredible and with all of the tools available today that enable anyone to launch or participate in attacks, we don’t see a slow down at all,” he said.

However, the report said attack durations are trending shorter, with 86% now last less than one hour. 

Packets Per Second (PPS) attacks sizes are also trending downward, reversing the strong growth trend seen in late 2011 and through 2012.

The increasing volume of highly visible attacks – including a mix of politically motivated attacks, state-sponsored electronic warfare, social activism, organised crime, and good old-fashioned pointless mischief and mayhem – is being driven by the easy availability of bots/botnets for hire and easily distributed crowd-sourced attack tools,” said Jeff Wilson, principal network security analyst with Infonetics Research.

The study revealed a massive trend shift in the destination ports of monitored DDoS attacks. While HTTP (port 80) continues to be the most popular, TCP fragmentation attacks (port 0) are up from about 10% last year to nearly 25% this year.

“That’s about two-and-a-half-times more so far this year," wrote Sockrider. "TCP fragmentation attacks are nothing new but it does demonstrate the attackers are constantly changing attack vectors in an effort to evade expectations.” 

The study found that the US remains the top target of DDoS attacks, receiving nearly a third of all attacks, but it is also the top source of DDoS attacks.

Some 13.1% of attacks originated in the US compared with 12.5% from China, which was the target of just 14.7% of DDoS attacks monitored.

Read more on Hackers and cybercrime prevention