10:38 AM
Connect Directly

DDoS Attack Bandwidth Jumps 718%

Distributed denial-of-service study finds increase in attack quantity and severity, while most attacks continue to originate from China.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
The average bandwidth seen in distributed denial-of-service (DDoS) attacks has recently increased by a factor of seven, jumping from 6 Gbps to 48 Gbps. Furthermore, 10% of DDoS attacks now exceed 60 Gbps.

Those findings come from a new report released Wednesday by DDoS mitigation service provider Prolexic Technologies, which saw across-the-board increases in DDoS attack metrics involving the company's customers.

"Average packet-per-second rate and average bit rate spiked in the first quarter and both are growing at a fast clip," said Prolexic president Stuart Scholly in a statement. "When you have average -- not peak -- rates in excess of 45 Gbps and 30 million packets per second, even the largest enterprises, carriers and, quite frankly, most mitigation providers, are going to face significant challenges."

In the first three months of 2013, 77% of DDoS attacks targeted bandwidth capacity and routing infrastructure, while 23% were application-level attacks that didn't overwhelm targeted networks through packet quantity, but rather by disrupting critical applications or processes running on a server.

[ Congress has it wrong on cybersecurity. Read Laws Can't Save Banks From DDoS Attacks. ]

The report also found that between the fourth quarter of 2012 and the first quarter of 2013, the total number of attacks increased marginally -- by only 2% -- while attack duration increased by 7%, from 32.2 hours to 34.5 hours. But the greatest number of DDoS attacks continue to be launched from China, although the volume of such attacks has recently declined. While 55% of all attacks came from China at the end of last year, by March 2013 that had dropped to 41%, followed by the United States (22%), Germany (11%), Iran (6%) and India (5%).

The source of attacks doesn't mean that a country's government or even criminal gangs are directly responsible for launching DDoS campaigns. For example, the Operation Ababil bank disruption campaign being run by al-Qassam Cyber Fighters relies in part on hacking into vulnerable WordPress servers and installing such DDoS toolkits as "itsoknoproblembro" -- aka Brobot. Attackers then use command-and-control servers to issue attack instructions to the toolkits, thus transforming legitimate websites into DDoS launch platforms.

Given that situation, it's no surprise that China, the United States and Germany -- which all sport a relatively large Internet infrastructure -- are also tops for DDoS attack origin. But Prolexic's report said it's odd that Iran, which has a very small Internet architecture by comparison, should be the source of so many attacks. "This is very interesting because Iran enforces strict browsing policies similar to Cuba and North Korea," according to Prolexic's report.

As DDoS attack sizes increase, so do fears of an Armageddon scenario, in which the attack not only disrupts a targeted site, but every site or service provider in between. According to Prolexic's report, the largest single attack it's mitigated to date occurred in March, when an "enterprise customer" was hit with an attack that peaked at 130 Gbps. While that wasn't equal to the 300 Gbps attack experienced by Spamhaus, it still represents well more than most businesses can handle, unless they work with their service provider or third parties to build a better DDoS mitigation defense.

On that front, some businesses tap dedicated DDoS mitigation services from the likes of Arbor Networks, CloudFlare, Prolexic and Verisign.

"There are a number of DDoS mitigation technologies out there, and we see organizations that are deploying the technologies in their own infrastructure and in their own environments," as well as working with service providers, said Chris Novak, managing principal of the RISK Team at Verizon Enterprise Solutions, speaking recently by phone.

"Like so many things in the security space, the layered approach is the most effective for most organizations," he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/2/2013 | 9:23:10 PM
re: DDoS Attack Bandwidth Jumps 718%
Covering another press release like it's news. FUD.
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/18/2013 | 2:05:59 AM
re: DDoS Attack Bandwidth Jumps 718%
What about companies that do business with China? There are a few out there known to exist...

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/18/2013 | 2:05:24 AM
re: DDoS Attack Bandwidth Jumps 718%
48 Gbps on average? Wow, that's a lot of junk traffic.

It's interesting to see the attack vector changing though, from the end user with a badly configured PC getting infected by something nasty to going for systems that are sitting in data centers, presumably on large pipes.

That strategy makes alot of sense though, instead of an occasionally on Vista box that Aunt Flo uses to swap recipes with her cat lovers club on Facebook to a system that's always on, always available and most likely very loosely (if at all) monitored for performance.

Sounds like it's time to step up the traffic analysis here and possibly integrate a few feedback loops to keep the junk traffic from getting sent down the pipe in the first place.

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
4/17/2013 | 4:57:52 PM
re: DDoS Attack Bandwidth Jumps 718%
Time maybe to block China's access to USA internet but I'm sure US corporations will cry foul and get their way to keep it open.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before IF28, 7.3 before IF30, and 7.4 before IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.