High volume DDoS attacks still persistent

Arbor Networks released global DDoS attack data that shows a continuation of extremely high volume attacks. In Q1 2015, there were 25 attacks larger than 100Gbps globally.

In the past year, Arbor has documented a dramatic increase in DDoS activity. The majority of recent very large attacks leverage a reflection amplification technique using the NTP, SSDP and DNS servers, with large numbers of significant attacks being detected all around the world:

• An example of how attackers are constantly changing their techniques, SSDP reflection attacks are up dramatically year-over-year: 126,000 monitored in Q1 2015 versus 3 reported in Q1 2014
• Attacks are shorter but pack a punch: Majority of attacks are short-lived, approximately 90% last less than 1 hour.

Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. This technique relies on two unfortunate realities: firstly, many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address; secondly, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated.

“Attacks that are significantly above the 200Gbps level can be extremely dangerous for network operators and can cause collateral damage across service provider, cloud hosting and enterprise networks,” said Darren Anstee, Director, Solutions Architects, for Arbor Networks.

“DDoS attacks continue to evolve. Not only have volumetric attacks grown significantly in size and frequency over the past 18 months, application-layer attackers are also still pervasive. In order to deal with the full scope of the modern DDoS threat we strongly recommend a multi-layered defense, one that integrates on-premise protection against application-layer attacks with cloud-based protection against higher magnitude Volumetric attacks. Only then is an organization fully protected from DDoS attacks today.”