DDoS attacks are on the increase and getting bigger and more widespread, according to research released by Arbor Networks.

Some DDoS attacks are exceeding the bandwidth of small countries.

Rene Millman
January 27, 2016

In its Worldwide Infrastructure Security Report, Arbor Networks concluded that the size of the largest DDoS attack it recorded in 2015 was 500gbps, up from 400Gbps in 2014. Other respondents to the survey reported attacks of 450, 425 and 337gbps.

The firm interviewed 354 global network operators from the US, Canada, Latin America, Europe, Middle East, Africa, Asia Pacific and Oceania.

Many respondents from enterprises and datacentres said that as a result of a DDoS attack, firewall and IPS devices had failed. Around half of datacentres suffered DDoS attacks which maxed out their entire Internet bandwidth – an increase from 33 percent last year.

DDoS attacks on DNS servers were up from 17 percent last year to 30 percent this year. But the research showed that despite the increase in this type of attack, 17 percent of service providers and 26 percent of enterprises still had no dedicated DNS security resources.

The cloud didn't escape the attentions of hackers: attacks on cloud-based services are up by a third over the previous year.

According to the report, the top motivation behind DDoS attacks is “criminals demonstrating attack capabilities,” with “gaming” and “criminal extortion attempts” in second and third place respectively.

“A growing proportion of respondents are seeing DDoS attacks being used as a distraction for either malware infiltration or data exfiltration. This year, 26 percent see this as a common or very common motivation, up from 19 percent last year,” said the report.

“A constantly evolving threat environment is an accepted fact of life for survey respondents,” said Arbor Networks chief security technologist Darren Anstee.

“This report provides broad insight into the issues that network operators around the world are grappling with on a daily basis. Furthermore, the findings from this report underscore that technology is only part of the true story since security is a human endeavor and there are skilled adversaries on both sides. Thanks to the information provided by network operators worldwide, we are able to offer insights into people and process, providing a much richer and more vibrant picture into what is happening on the front lines.”

Richard Cassidy, technical director EMEA at Alert Logic, told SCMagazineUK.com that cyber-criminals are becoming increasingly effective at compromising poorly protected cloud services, adding to their BOTNET coverage, with one incredible gain in that bandwidth capability is in most cases substantially higher (10Gbps+) than traditionally compromised on-premise infrastructures that would have average uplink speeds of around 25-75mbps.

“This means that botnet coverage rates don't need to have the spread they used to. For example, when launching an attack of 100gbps plus, you might only need five to ten cloud-hosted environments to reach the required bandwidth levels, as opposed to 1000s and 1000s of machines across 100s of compromised organisations, under legacy DDoS approaches,” he said.

“In the end this means that cyber-criminals have the ability to do a great deal more damage, far more quickly than ever before and if they're shut down via one source of attack through DDoS mitigation tools, they can switch to a new set of sources very quickly to sustain the threat to a high degree of success. In this respect DDoS attacks have and are becoming far more complex and sophisticated than ever before, making them far more difficult to prevent overall.”

Mark Chaplain, VP EMEA for Ixia told SC that the availability of ‘DDoS as a service' and large-scale botnets is making it easier for attackers to launch a campaign of this scale.

“Organisations can mitigate the impact of DDoS attacks by reducing the attack surface of their networks – blocking web traffic from the large numbers of IP addresses that are known to be bot-infected, or are sources of malware and DoS attacks,” he said.

Ron Symons, regional director at A10 Networks, said DDoS-as-a-service is a growing phenomenon.

“The ability to order large-scale attack capabilities via a credit card on the dark web is fuelling the potential reach of cyber-criminals,” he said.

“These attacks may be carried out for a variety of reasons, from the ideological to the retaliatory, and, more frequently, as smokescreens for more invasive attacks. Targeting central servers while exploiting unguarded backdoors is an increasingly successful tactic in the assault on sensitive data.”