There is a strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective, according to Arbor Networks’ Q2, 2015 global DDoS attack data.
Of most concern to enterprise networks is the growth in the average attack size, Arbor Networks says.
The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size.
In Q2, 21% of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range. However, there was also a significant spike in the number of attacks in the 50 - 100GB/sec range in June.
Average attack size for New Zealand increased significantly to 1.1Gbps/241.95Kpps in Q2 from 430.84Mbps/55.39Kpps in Q1.
“Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprises around the world,” says Darren Anstee, Arbor Networks chief security technologist.
“Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the internet connectivity of many businesses it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place,” Anstee says.
New Zealand has higher proportion of attacks of more than 1Gbps compared to APAC. In Q2, New Zealand was 35% versus APAC at just 17%.
The majority of attacks in New Zealand were very short-lived, and approximately 97% were less than one hour.
The average attack duration for New Zealand was just 15 minutes 39 seconds, compared to 23 minutes 46 seconds for Australia and 39 minutes and 53 seconds for APAC.
The proportion of attacks that lasted longer than 12 hours was less than 0.1% for New Zealand in Q2.
The top three sources for attacks on New Zealand in Q2 were China 6%, US 6% and NZ 1%.
Globally 50% of reflection attacks in Q2 targeted UDP port 80 (HTTP/U) - Port 80 is also the leading target for attacks in New Zealand, but only 18% of attacks targeted it.
Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic.
This technique relies on the fact that many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address, and the many poorly configured and protected devices on the internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated, says Arbor Networks.
The majority of very large volumetric attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world, the company says.
Arbor Networks' data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data in order to deliver a comprehensive, aggregated view of global traffic and threats.
ATLAS collects 120TB/sec of internet traffic and is the source of data for the Digital Attack Map, a visualisation of global DDoS attacks created in collaboration with Google Ideas.