polygraphus - Fotolia

Average DDoS attack size increasing, Arbor warns businesses

While extremely large DDoS attacks grab the headlines, it is the increasing size of the average attack that is affecting enterprises, warns Arbor Networks

The average size of distributed denial of service (DDoS) attacks is increasing in terms of bits and packets per second, according to Arbor Networks.

Although the largest attack monitored in the second quarter of 2015 was a 196 Gigabit per (Gbps) second user datagram protocol (UDP) Flood, Arbor says the growth in the average attack size is of most concern to enterprise networks.

According to the latest data from Arbor's active threat level analysis system (Atlas), 21% of attacks in the quarter topped 1Gbps, while the most growth was seen in the 2Gbps to 10Gbps range.

Atlas is a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor.

The data also shows a significant spike in the number of attacks in the 50Gbps to 100Gbps range in June 2015, which were mainly SYN floods targeting destinations in the US and Canada.

"Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world," said Arbor Networks chief security technologist Darren Anstee.

"Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the internet connectivity of many businesses, it is essential that the risks and costs of an attack are understood and appropriate plans, services and solutions put in place," said Anstee.

Sizes of attacks on the rise

Arbor's data shows that reflection amplification DDoS attacks using the simple service discovery protocol (SSDP) appear to be abating compared with the first quarter of 2015, in which 126,000 were recorded, but they are still at the same level as the last quarter of 2014 of around 84,000.

Reflection amplification is a technique that allows an attacker to magnify the amount of traffic they can generate and obfuscate the original sources of that attack traffic.

This technique relies on the fact that many internet service providers still do not implement filters at the edge of their network to block traffic with a "forged" (spoofed) source IP address, and the fact that there are plenty of poorly configured and poorly protected devices on the internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated.

Read more about DDoS attacks

The majority of very large volumetric attacks use a reflection amplification technique exploiting the SSDP, the network time protocol (NTP) and DNS servers, with a large number of significant attacks detected worldwide.

The data shows that the average sizes for DNS, NTP and SSDP reflection amplification attacks increased in the second quarter of 2015, with an average duration of 20 minutes.

According to a recent survey by F5 Networks, investment in specific DDoS protection is relatively low.

The survey found that businesses are turning their attention to application data breaches, network attacks and malware, despite 60% of respondents saying they are worried about DDoS attacks and 39% admitting it is likely their organisation has already been targeted.

Almost 40% of the organisations questioned said they are using a firewall to protect against DDoS attacks, with web application firewalls preferred by 26% of respondents. However, investment in specific DDoS protection scored much lower.

Read more on Hackers and cybercrime prevention