Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/15/2018
08:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Are DDoS Attacks Increasing or Decreasing? Depends on Whom You Ask

Details on DDoS trends can vary, depending on the reporting source.

Distributed denial-of-service (DDoS) attacks remain unpredictable and dangerous for enterprises, but actual details on how the threat is evolving can differ substantially by the reporting source.

Two reports released this week, one by Verisign and the other from Nexusguard, are good examples. Both vendors reported a general increase in multivector attacks and an overall decrease in the number of DDoS attacks in the fourth quarter of 2017 compared to the prior quarter but differed on the details based on data gathered from their customer engagements.

Nexusguard reported a 12% decrease in DDoS attacks between the fourth quarter of 2016 and the same quarter in 2017, and a more than 16% drop in attacks between the third and fourth quarters last year. Verisign pegged the decrease in DDoS attacks during the same period at a somewhat higher 25% and said the number of attacks has continued to decrease from quarter to quarter.

Nexusguard says multivector, blended threats represented some 56% of recorded attacks last quarter while single-vector attacks accounted for just over 43%. Two-vector attacks — such as those combining UDP and DNS — accounted for nearly 33% of all multivector accounts, while three-vector attacks accounted for about 15%, according to Nexusguard.

Verisign, meanwhile, says a massive 82% of the DDoS attacks it mitigated in the fourth quarter of last year employed multiple attack types. While Nexusguard had two-vector attacks as the most common multivector attack type, Verisign says 46% of multivector attacks it encountered involved five or more attack types.

The largest DDoS attack that Verisign dealt with last quarter topped out at 53 Gbps, while Nexusguard said the largest one it encountered weighed in at over 231 Gbps. Both vendors had roughly the same estimates for average peak attack sizes, with a substantial proportion falling under 10 Gbps. Verisign, however, noted a 32% year-over-year decrease in the average of attack peak sizes.

For Nexusguard, one key takeaway from its observations last quarter was the sharp increase in amplification attacks involving DNSSEC-enabled servers. Nexusguard says the number of DNS reflection attacks in the fourth quarter of 2017 soared nearly 110% over the preceding quarter, while DDoS attacks using DNS amplification increased nearly 358% compared with the fourth quarter of 2016.

The decrease in DDoS attacks during the fourth quarter of 2017 that both Verisign and Nexusguard reported is somewhat at odds with report from other vendors. Martin McKeay, global security advocate and lead author of Akamai's recently released State of the Internet Security Report, for instance, says DDoS attack volumes have only increased over the past few years.

"Akamai saw an almost identical number of attacks in Q4 2017 vs. Q3 2017, though the number of attacks had grown by 14% since the same time in 2016," he says. "From what we've seen, the number of attacks has been relatively steady quarter over quarter recently, and has grown significantly year over year for as long as we've been tracking the count of attacks."

The same is true of attack sizes, he says. "While we'd seen a general downward trend throughout 2016 in the median size of attacks from slightly over 1 Gbps, that trend changed in the second half of the year, to climb back to a median attack size of 750 Mbps," he says.

Similarly, Akamai has not seen a significant increase in attacks involving DNS- and DNSSEC-enabled domains. McKeay says DNS and DNSSEC have been a component of approximately 25% of the attacks Akamai has seen for several years.

Ashley Stephenson, CEO of Corero, has similar views on DDoS trends and says he hasn't seen anything to suggest a recent decline in number of attacks. Like McKeay, Stephenson says Corero hasn't observed the sharp increase in DNSSEC amplification attacks that Nexusguard reported, though he agrees that multivector attacks have become more common.

The differences in reports, according to Stephenson, have a lot to do with how and where the data is captured and even with how different organizations define DDoS attacks. For an organization in the online gaming industry, for instance, traffic of something in the 500 Mbps to 1 Gbps range could be enough to constitute a DDoS attack. "An attack of that size is not going to be significant to a large financial institution or a bank that has a large data center," and probably wouldn't be counted as a DDoS attack.

Average attack size can also often be misleading, says McKeay. In many cases, one or two large attacks can easily throw reporting out of balance, which is why it is better to track median attack size instead, he says. "Large attacks, or a lack of, can easily skew an average attack-size metric, making the number unreliable."

Where the attack is measured can make a big difference as well. Attacks that are measured close to the source will be substantially larger than attacks that are measured close to the destination or target — sometimes by a 10-to-1 factor, Stephenson says.

A content delivery network, for instance, might measure the source of an attack, but the reality is that a lot of the traffic at the source will never get to the destination, he says. Similarly, a service provider might report on DDoS traffic from somewhere in the middle, away from the source and the destination, and the numbers they observe will be different from the numbers at the destination. So, while you might have terabits of data at the origin, what comes out at the other end of the funnel can be much smaller, Stephenson says.

"Ultimately, if you are an enterprise you have to be most concerned about what impacts you," Stephenson says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14191
PUBLISHED: 2020-11-25
Affected versions of Atlassian Fisheye/Crucible allow remote attackers to impact the application's availability via a Denial of Service (DoS) vulnerability in the MessageBundleResource within Atlassian Gadgets. The affected versions are before version 4.8.4.
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...