DDoS Attacks Are Getting Bigger And Badder


Data from a DDoS security vendor suggests that distributed denial of service attacks are not only becoming more widespread, they are also becoming "larger" and more likely to target specific applications.

Various characteristics of DDoS attacks are closely monitored through a customer intelligence feed operated by Arbor Networks, a Chelmsford, Mass.-based technology vendor specializing in traffic management, reporting, threat protection and threat mitigation for the past 12 years.

Arbor’s Atlas infrastructure monitors a peak of 34.17 Tbps of traffic, pulling data from more than 230 service provider customers around the world. The most recent data covers the first half of 2012. Perhaps the most compelling finding is that the attack sizes are clearly on the increase. The escalating availability of botnets and DDoS tools has led to larger, more frequent and more complex attacks.

[Related: 10 Olympic Themed Phishing Scams]

The frequency of attacks has increased by 82 percent since June of 2011. The average size of the attacks has increased by 27 percent and is now consistently in excess of 1 Gb/sec, a level that had previously functioned as an unofficial benchmark for large attacks.

"Things are moving into the 1 to 2 Gb per second level," said Darren Anstee, solutions architect at Arbor Networks. "Those represented 8.9 percent in 2010, 18.79 percent last year and 20.1 percent so far this year. So they are clearly on the rise."

"A lot of enterprises and smaller data centers have Internet connectivity around one gig or less, so as these attacks scale upward, their impact becomes more profound," Anstee explained. "So, the botnets have gotten larger; user dependence is also higher; and attackers are continuing to get smarter. All three of these things factor into the equation."

The largest attacks observed by Arbor Networks at this point are running at speeds of approximately 100 gigabits per second, according to the data.

Attackers are also having increased success with multivector attacks against specifically targeted applications and devices. These attacks cannot be consistently blocked in the cloud, and they can also be used to defeat firewalls and intrusion prevention systems.

"Because these are stateful devices and they keep information on everything that goes in and out of the network, they are very inviting to DDoS attackers," Anstee said. "From a channel perspective, you can go into an account and recommend a purpose-built device that will protect your customer and also provide the investment protection necessary to keep existing infrastructure like firewalls and IPS systems from getting choked off and falling over. If you don't deal with those components, you are only expanding the threat surface."

PUBLISHED AUG. 6, 2012