10:50 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

DDoS Average Packet-Per-Second And Attack Bandwidth Rates Rise

Prolexic's Quarterly Global DDoS Attack Report shows a 33 percent increase in total number of DDoS attacks compared to Q2 2012

HOLLYWOOD, FL – (July 17, 2013) – Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) protection services, today announced that the average packet-per-second (pps) rate reached 47.4 Mpps and the average bandwidth reached 49.24 Gbps based on data collected in Q2 2013 from DDoS attacks launched against its global client base. These metrics, representing increases of 1,655 percent and 925% respectively compared to Q2 2012, are just two of many findings contained in the company's Quarterly Global DDoS Attack Report, which was published today.

"This quarter we logged increases for all major DDoS attack metrics, and some have been significant. DDoS attacks are getting bigger, stronger and longer," said Stuart Scholly, president at Prolexic. "We believe this growth is being fueled by the increasing prevalence of compromised Joomla and WordPress web servers in increasingly large botnets."

In Q1 2013, Prolexic recorded an average DDoS attack bandwidth of 48.25 Gbps, an all-time high since the company began issuing quarterly attack reports in Q3 2011. This second quarter, average bandwidth ticked even higher to 49.24 Gbps, representing a 2% increase over Q1 2013 and a 925% increase over Q2 2012. In addition, average packet-per-second volume reached 47.4 Mpps this quarter, a dramatic 46% increase over the 32.4 Mpps that was logged just last quarter. Compared to Q2 2012, the average packet-per-second rate has increased 1,655 percent.

After trending down in 2011 and part of 2012, average attack durations are increasing, rising from 17 hours in Q1 2012 and 34.5 hours in Q1 2013, to 38 hours this quarter.

"Attack durations are likely increasing because perpetrators are less concerned about detection and protecting their botnets," said Scholly. "The widespread availability of compromised web servers makes it much easier for malicious actors to replenish, grow and redeploy botnets. Traditionally, botnets have been built from compromised clients. This requires malware distribution via PCs and virus infections, and takes considerable time and effort. Consequently, attackers wanted to protect their client-based botnets and were more fearful of detection, so we saw shorter attack durations."

Summary highlights from Prolexic's Q2 2013 Global DDoS Attack Report

Compared to Q2 2012

• 33% increase in total number of DDoS attacks

• 23% increase in total number of infrastructure (Layer 3 & 4) attacks

• 79% increase in total number of application (Layer 7) attacks

• 123% increase in attack duration: 38 hours vs. 17 hours

• 925% increase in average bandwidth

• 1,655 percent increase in average packet-per-second (pps) rate

Compared to Q1 2013

· 20% increase in total number of DDoS attacks

• 17% increase in total number of infrastructure (Layer 3 & 4) attacks

• 28% increase in total number of application (Layer 7) attacks

• 10% increase in attack duration: 38 hours vs. 34.50 hours

• 2% increase in average bandwidth: 49.24 Gbps vs. 48.25 Gbps

• 46% increase in average packet-per-second (pps) rate

• China maintains its position as the main source country for DDoS attacks.

Analysis and emerging trends

As in previous quarters, attackers predominantly used infrastructure-directed attacks (Layer 3 and Layer 4), which accounted for 74.7 percent of all attacks, with application layer attacks making up the remainder. SYN floods were the attack type of choice, accounting for nearly one-third of all attacks mitigated by Prolexic's Security Operations Center (SOC). This is the highest volume for any single attack type since Prolexic began publishing its Quarterly Global DDoS Attack Report. GET, ICMP and UDP floods were also frequently directed against Prolexic clients over the three-month period.

Compared to the same quarter one year ago, the total number of DDoS attacks increased 33.8 percent. In addition, the total number of infrastructure attacks increased 23.2 percent while the total number of application attacks (Layer 7) increased by 79.4 percent compared to one year ago. While the split between the total number of infrastructure attacks and application layer attacks was similar between the two quarters, both attack types increased when the two quarters were compared. Average attack durations have increased significantly, rising from 17 hours in Q2 2012 to reach 38 hours this quarter, an increase of 124%.

Compared to Q1 2013, the total number of attacks increased by 20%. This reflects a consistently high level of denial of service attack activity around the globe over the last six months. The total numbers of both infrastructure and application attacks increased over Q1 2013 (17.4 percent and 28.9 percent respectively). Average attack duration continued to tick upwards, rising from 34.5 hours last quarter to 38 hours in Q2 2013.

April was the most active month of the quarter for DDoS attacks, accounting for 39.7 percent of all attacks, followed by May (31.6 percent) and June (28.7 percent). This quarter, two weeks tied for the most active week of the quarter: April 8-14 and April 15-21. This high level of activity can be attributed to attacks against financial services clients and the ongoing use of the itsoknoproblembro toolkit.

Data for the Q2 2013 report has been gathered and analyzed by the Prolexic Security Engineering & Response Team (PLXsert). The group monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with Prolexic customers. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.

A complimentary copy of the Prolexic Q2 2013 Global DDoS Attack Report is available as a free PDF download from The Q3 2013 report will be released early in the fourth quarter of 2013.

About Prolexic

Prolexic is the world's largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world's largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world's first in-the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit, follow us on LinkedIn, Facebook, Google+, YouTube, and @Prolexic on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.