"We are seeing a lot of Web [DDoS] attacks and encrypted attacks," says Gary Sockrider, solutions architect for the Americas at Arbor Networks, which released its annual Worldwide Infrastructure Security Report today that mentions a record-breaking 309-Gbps DDoS attack last year. "In the past three years, DDoSes had plateaued at a peak of around 100 Gbps. This year, the largest is 309 Gbps, three orders of magnitude larger."
Other security reports published today echo the same theme of more punishing DDoS attacks in the past year: Radware saw a 20 percent increase in severity of DDoS attacks, and Prolexic reports that DDoS attack volume increased month to month last year, with an increase of 30 percent in powerful, high bandwidth attacks.
Sockrider says respondents to the Arbor survey -- 68 percent of whom are service providers -- reported experiencing multiple DDoS attacks above 100 Gbps, which jives with what Arbor witnessed firsthand for its customers. While the DDoS attack in March 2013 against volunteer spam filtering organization Spamhaus was the largest on record at 300 Gbps traffic, there were likely copycats, he says.
The attackers behind the DDoS attack on Spamhaus abused improperly configured or default-state DNS servers, also known as open DNS resolvers, so this was no standard botnet-borne attack. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.
More than one-third of respondents in the Arbor survey say they were hit with DNS-based DDoS attacks that affected customers, up from 25 percent last year.
Hacktivists remain the top DDoS attackers, according to Arbor's report, but cybercriminals also are employing these destructive attacks to target businesses. Some 40 percent of DDoS attacks are waged for political or ideological reasons, respondents say, while 39 percent say the attack motivation is unknown. Some 16 percent say the attacks were used a diversion by the attackers for cybercrime activity such as stealing sensitive data.
Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, says DDoS attacks are becoming more serious, and increasingly are getting used in conjunction with other attacks. A DDoS can be used to overwhelm a company's security operations center, for instance, to weaken their defenses against other types of attacks. "So DDoS mitigation is crucial to filter the noise away," he says. Becoming overwhelmed by a DDoS can leave a back door open for other attacks while the organization is dealing with the DDoS, he says. "That's my main concern," Boscovich says.
If a criminal syndicate were to point a massive DDoS at a bank's network, for instance, it could take down their firewalls. "No firewall can scale to 50 to 60 Gbps of throughput, so it's going to fill up memory and saturate the system, so the security team has to take them down, reboot the ACLs [access control lists], turn off scanning, and during that period ... the criminals will use DDoS as a distraction to go after and exfiltrate data," says Jason Matlof, vice president of marketing for A10 Networks. "Criminal syndicates are getting more sophisticated, and botnets are a way to make money like they've never been able to make before."
Data Centers In the Bull's Eye
Data center operations are being targeted more by DDoS attacks, according to Arbor, with 70 percent of centers saying they saw a rise in attacks, versus 50 percent last year. More than one third say the attacks completely saturated their available Internet connections: "Twice as many said it exceeded their total bandwidth, so it had to be mitigated upstream," Sockrider says. "81 percent say they experienced operational expenses or business impact because of a DDoS."
Multiple DDoS attacks also were more frequent on data centers last year: some 10 percent say they suffered more than 100 DDoS attacks per month.
[Denial-of-service attacks powered by NTP amplification interrupted online-gaming services over the past month, renewing efforts to find solutions to the vulnerabilities. See No Easy Solution To Stop Amplification Attacks .]
Radware's DDoS survey found that 87 percent of enterprises and carriers have experienced some level of service disruption due to a DDoS attack, and 60 percent had an actual service degradation from a DDoS. "The negative impact of a service outage is already understood, but even small instances of service degradation can have harmful, lasting effects on an organization's brand image, customer satisfaction and ultimately its bottom line," says Avi Chesla, chief technology officer at Radware.
Meanwhile, application-layer DDoS attacks continue to become more prevalent, Arbor reports, with a 17 percent increase in DDoSes against encrypted, SSL/HTTP-S websites and services. "What they're trying to do is evade detection. These encrypted attacks tend to be fairly simplistic and they're not trying to hide their nature, but just trying to hide the fact that it is an attack," Sockrider says.
Encrypted application-layer DDoS attacks accounted for half of all Web attacks last year, according to Radware. Some 15 percent of its survey respondents say their Web application login pages were hit daily.
SSL DDoS attacks employ simple encryption algorithms, and encryption is becoming an option in many DDoS attack tools, Arbor's Sockrider says. This type of DDoS traffic can easily get passed to the server by the IPS or firewall: "On the surface, [the traffic] looks legitimate. It's very uncommon that they decrypt it to inspect it," he says.
These attacks are not high volume like infrastructure attacks, but instead are all about exhausting server or state table resources. "It's exhausting the resources of the application or host it runs on. And it's much harder to detect, and therefore you can't [typically] see it," Sockrider says.
Enterprises are the biggest DDoS target, according to Akamai, which today published its State of the Internet report for Q3 2013. Some 127 DDoS attacks were reported by enterprises during that period, 80 by commerce businesses, 42 by media and entertainment organizations, 18 by public sector organizations, and 14 by high-technology firms.
And once you're hit with a DDoS, there's a 25 percent chance you'll be attacked again within three months, Akamai estimates.
The bad news is many organizations just don't have a plan for defending against DDoS attacks, either. Nearly 45 percent of organizations surveyed recently by Corero have no DDoS response plan, while some 21 percent don't have a response team set up in the case of a DDoS attack targeting their networks. Around 60 percent say they don't have a designated DDoS response team, and 40 percent say they don't have a point of contact within their organizations when a DDoS hits.
Arbor's Worldwide Infrastructure Security Report is available here (PDF) for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.