Early last year, a different type of DDoS attacker emerged: one with considerable botnet resources, but also an intimate understanding of how the Internet routing topology works. As a result, Prolexic detected a clear shift to high packet-per-second DDoS attacks specifically designed to overwhelm infrastructure elements such as routers. Failure of these devices often causes collateral damage, typically taking thousands of customer websites offline.
“It’s a classic change up,” said Stuart Scholly, president at Prolexic. “Nearly everyone has been focused on bandwidth and gigabits per second, but it’s the packet rate that’s causing the most damage and presenting the biggest challenge. These packet rates are above the thresholds of all but the most expensive routers and line cards and we are seeing networks buckle as a result.”
According to the company's Q1 2013 Global DDoS Attack Report, the average attack bandwidth went up from 5.9 Gbps to 48.25 Gbps, and its duration increased from 32.2 hours to 34.5 hours when compared to the last quarter of 2012. Still, there was only a 1.75 percent increase in total number of DDoS attacks.
During Q1 2013, more than 10 percent of DDoS attacks against Prolexic’s global client base averaged more than 60 Gbps. The largest attack mitigated in the quarter peaked at 130 Gbps, occurring in March against an enterprise customer. In response to these huge attacks, more carriers and ISPs are being forced to null route (black hole) traffic to protect their networks.
Attack volume also grew in Q1 2013 and reached the highest number of attacks the compnay has logged for one quarter. However, the percentage increase over the previous quarter was nominal. Attack volume has been especially high during the last six months, reflecting a general trend of heightened global DDoS activity and risk of attack.
Like recent quarters, Layer 3 and Layer 4 infrastructure attacks were the favored attack type, accounting for 76.54 percent of total attacks during the quarter, with Layer 7 application layer attacks making up the remaining 23.46 percent. This approximate 3:1 split remains unchanged. This quarter, SYN (25.83 percent), GET (19.33 percent), UDP (16.32 percent) and ICMP (15.53 percent) floods were the attack types most often encountered during mitigation.
Average attack duration continued to rise, from 32.2 hours the previous quarter to 34.5 hours in Q1, an increase of 7.14 percent. March was the most active month for attacks, accounting for 44 percent of the quarter’s attacks. The week of March 19 was the most active of the quarter. The last two weeks of the quarter were the most active and showed the largest percentage increase compared to Q1 2012 (306 and 154 percent respectively).
As is commonplace, the top 10 list of source countries responsible for launching the most DDoS attacks was fluid with the exception of China. Once again, China secured the top place in attack source country rankings, joined by the United States, Germany, and for the first time, Iran.
For more details, you can download the report here (registration required).