Arbor: DDoS attacks growing faster in size, complexity

Getty Images


Written by

The size of distributed denial of service attacks continued to grow at a faster rate than ever last year, and the attacks also increased in frequency and complexity, according to Arbor Networks’  latest Worldwide Infrastructure Security Report.

The 12th annual report, published Tuesday, is based on a survey of 365 internet service providers, as well as other types of network operators from around the world, and on internet data from Nov. 2015 through Oct. 2016. Because Arbor provides services to so many large internet providers, it has visibility into about a third of all global internet traffic.

Distributed denial-of-service, or DDoS, attacks are at one level the most basic kind of cyberattack — compromised devices, like personal computers infected by a virus, are marshaled into huge robot networks or botnets, and flood the targeted website or other system with junk data, slowing real traffic to a crawl or stopping it altogether.

The largest attack seen during the period covered in the report aimed 800 gigabits per second, or GbPS, of data at the target — a 60 percent increase over the largest attack from the prior year. Since Arbor first began producing the report in 2005, maximum DDoS attack size has grown at a compound annual growth rate of 44 percent. But in the past five years, since 2011, that rate has been 68 percent, the company said in a release.

Maximum DDoS attack size 2007-16 (Source: Arbor 12th Annual World Infrastructure Security Report, 2017)
Maximum DDoS attack size in gigabits per second, 2007-16 (Source: Arbor 12th Annual World Infrastructure Security Report, 2017)

The report says the massive growth in attack size has been driven by two factors. Firstly, “the emergence and weaponization” of botnets based on compromised IoT devices or home routers, rather than computers; and secondly the increased use of “reflection amplification” by attackers. Reflection amplification leverages internet infrastructure like the domain name system or the network time protocol “to multiply attack traffic by hundreds of times, while hiding the original source.”

In a reflection attack, an attacker can “send 1GbPS of initial traffic, [and] 100 GbPS is delivered to the target.”

As the frequency of attacks rises, “the chances of being hit by a DDoS attack have never been higher,” states the report.

Fifty-three percent of service providers said they are seeing more than 21 attacks per month — up from 44 percent in the prior year. Frequency grew much faster for other sectors. Twenty-one percent of data center respondents see more than 50 attacks per month versus only 8 percent last year, for instance.

Also rising: complexity. While the basic DDoS attack is very straightforward, using internet traffic to overwhelm web-facing servers; there are other forms of DDoS that can be aimed at different aspects of victims’ infrastructures, like the application layer or the connection state tables in firewalls, web application servers, and other infrastructure components. This last kind of attack is called a state-exhaustion or protocol attack.

A multi-vector attack is when several different attack modes are combined. These attacks are popular with hackers “because they can be difficult to defend against and are often highly effective,” states the report. The proportion of respondents seeing multi-vector attacks on their networks increased significantly in the period covered by the report, up to 67 percent from 56 percent the prior year and 42 percent the year before that.

-In this Story-

Arbor Networks, botnets, cyberattacks, DDoS, reflection amplification, Worldwide Infrastructure Security Report