Attacks/Breaches

3/15/2018
08:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Are DDoS Attacks Increasing or Decreasing? Depends on Whom You Ask

Details on DDoS trends can vary, depending on the reporting source.

Distributed denial-of-service (DDoS) attacks remain unpredictable and dangerous for enterprises, but actual details on how the threat is evolving can differ substantially by the reporting source.

Two reports released this week, one by Verisign and the other from Nexusguard, are good examples. Both vendors reported a general increase in multivector attacks and an overall decrease in the number of DDoS attacks in the fourth quarter of 2017 compared to the prior quarter but differed on the details based on data gathered from their customer engagements.

Nexusguard reported a 12% decrease in DDoS attacks between the fourth quarter of 2016 and the same quarter in 2017, and a more than 16% drop in attacks between the third and fourth quarters last year. Verisign pegged the decrease in DDoS attacks during the same period at a somewhat higher 25% and said the number of attacks has continued to decrease from quarter to quarter.

Nexusguard says multivector, blended threats represented some 56% of recorded attacks last quarter while single-vector attacks accounted for just over 43%. Two-vector attacks — such as those combining UDP and DNS — accounted for nearly 33% of all multivector accounts, while three-vector attacks accounted for about 15%, according to Nexusguard.

Verisign, meanwhile, says a massive 82% of the DDoS attacks it mitigated in the fourth quarter of last year employed multiple attack types. While Nexusguard had two-vector attacks as the most common multivector attack type, Verisign says 46% of multivector attacks it encountered involved five or more attack types.

The largest DDoS attack that Verisign dealt with last quarter topped out at 53 Gbps, while Nexusguard said the largest one it encountered weighed in at over 231 Gbps. Both vendors had roughly the same estimates for average peak attack sizes, with a substantial proportion falling under 10 Gbps. Verisign, however, noted a 32% year-over-year decrease in the average of attack peak sizes.

For Nexusguard, one key takeaway from its observations last quarter was the sharp increase in amplification attacks involving DNSSEC-enabled servers. Nexusguard says the number of DNS reflection attacks in the fourth quarter of 2017 soared nearly 110% over the preceding quarter, while DDoS attacks using DNS amplification increased nearly 358% compared with the fourth quarter of 2016.

The decrease in DDoS attacks during the fourth quarter of 2017 that both Verisign and Nexusguard reported is somewhat at odds with report from other vendors. Martin McKeay, global security advocate and lead author of Akamai's recently released State of the Internet Security Report, for instance, says DDoS attack volumes have only increased over the past few years.

"Akamai saw an almost identical number of attacks in Q4 2017 vs. Q3 2017, though the number of attacks had grown by 14% since the same time in 2016," he says. "From what we've seen, the number of attacks has been relatively steady quarter over quarter recently, and has grown significantly year over year for as long as we've been tracking the count of attacks."

The same is true of attack sizes, he says. "While we'd seen a general downward trend throughout 2016 in the median size of attacks from slightly over 1 Gbps, that trend changed in the second half of the year, to climb back to a median attack size of 750 Mbps," he says.

Similarly, Akamai has not seen a significant increase in attacks involving DNS- and DNSSEC-enabled domains. McKeay says DNS and DNSSEC have been a component of approximately 25% of the attacks Akamai has seen for several years.

Ashley Stephenson, CEO of Corero, has similar views on DDoS trends and says he hasn't seen anything to suggest a recent decline in number of attacks. Like McKeay, Stephenson says Corero hasn't observed the sharp increase in DNSSEC amplification attacks that Nexusguard reported, though he agrees that multivector attacks have become more common.

The differences in reports, according to Stephenson, have a lot to do with how and where the data is captured and even with how different organizations define DDoS attacks. For an organization in the online gaming industry, for instance, traffic of something in the 500 Mbps to 1 Gbps range could be enough to constitute a DDoS attack. "An attack of that size is not going to be significant to a large financial institution or a bank that has a large data center," and probably wouldn't be counted as a DDoS attack.

Average attack size can also often be misleading, says McKeay. In many cases, one or two large attacks can easily throw reporting out of balance, which is why it is better to track median attack size instead, he says. "Large attacks, or a lack of, can easily skew an average attack-size metric, making the number unreliable."

Where the attack is measured can make a big difference as well. Attacks that are measured close to the source will be substantially larger than attacks that are measured close to the destination or target — sometimes by a 10-to-1 factor, Stephenson says.

A content delivery network, for instance, might measure the source of an attack, but the reality is that a lot of the traffic at the source will never get to the destination, he says. Similarly, a service provider might report on DDoS traffic from somewhere in the middle, away from the source and the destination, and the numbers they observe will be different from the numbers at the destination. So, while you might have terabits of data at the origin, what comes out at the other end of the funnel can be much smaller, Stephenson says.

"Ultimately, if you are an enterprise you have to be most concerned about what impacts you," Stephenson says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1786
PUBLISHED: 2018-11-12
IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly accumulate TCP/IP sockets in a CLOSE_WAIT state. This can cause TCP/IP resource leakage and may result in a denial of service. IBM X-Force ID: 148871.
CVE-2018-1798
PUBLISHED: 2018-11-12
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1884
PUBLISHED: 2018-11-12
IBM Case Manager 5.2.0.0, 5.2.0.4, 5.2.1.0, 5.2.1.7, 5.3.0.0, and 5.3.3.0 is vulnerabile to a "zip slip" vulnerability which could allow a remote attacker to execute code using directory traversal techniques. IBM X-Force ID: 151970.
CVE-2018-19203
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.2.41.1652 allows remote unauthenticated attackers to terminate the PRTG Core Server Service via a special HTTP request.
CVE-2018-19204
PUBLISHED: 2018-11-12
PRTG Network Monitor before 18.3.44.2054 allows a remote authenticated attacker (with read-write privileges) to execute arbitrary code and OS commands with system privileges. When creating an HTTP Advanced Sensor, the user's input in the POST parameter 'proxyport_' is mishandled. The attacker can cr...