42 percent of respondents said they have experienced multi-vector attacks that combined volumetric, application-layer, and state exhaustion techniques.
42 percent of respondents said they have experienced multi-vector attacks that combined volumetric, application-layer, and state exhaustion techniques.

The largest distributed denial-of-service (DDoS) attack reported a decade ago was 8 Gbps – this year the largest reported attack was 400 Gbps, according to the 10th Annual Worldwide Infrastructure Security Report by Arbor Networks.

From November 2013 to October 2014, the company – which specializes in DDoS attacks – collected survey data from 287 service providers, hosting, mobile enterprise and other network operators from around the globe.

“Looking back to our first report 10 years ago, 90 [percent] of respondents saw volumetric DDoS attacks on their networks,” Gary Sockrider, Arbor Networks' solutions architect for the Americas, told SCMagazine.com in a Tuesday email correspondence. “This year, 90 percent saw application-layer DDoS attacks which weren't even being discussed back then.”

According to the findings in the latest report, 42 percent of respondents said they have experienced multi-vector attacks that – within a single sustained attack – combined volumetric, application-layer, and state exhaustion techniques.

Overall, DDoS attacks are on the rise – this year 38 percent of respondents said that they have experienced more than 21 attacks per month, whereas roughly 25 percent indicated the same in 2013.

“In 2014 the primary technique for generating these massive attacks was reflection/amplification exploiting servers running protocols such as NTP, SSDP, and DNS,” Sockrider said. “Because there are so many unsecured and publicly available servers on the Internet, it's frighteningly simple to perpetrate these attacks.”

Sockrider said that Arbor Networks is also seeing a negative trend in the number of respondents who are filtering spoofed traffic on their networks, which he considered a best current practice. He added, calling it unfortunate, that organizations are still using firewalls and intrusion prevention systems (IPS).

“Since these devices typically maintain state tables for the traffic passing through them, they become the victim of state-exhaustion DDoS attacks,” Sockrider said. “One positive trend we saw this year was the increased use of Intelligent DDoS Mitigation Systems to protect the firewalls and other infrastructure from these kinds of attacks.”

In the report, 40 percent of respondents said they felt reasonably or well prepared for a security incident, and 10 percent said they felt completely unprepared to respond to an incident. Sockrider said that organizations are finding it difficult to retain talented security personnel, and that many groups are not regularly running drills to hone their response skills.

Ultimately, organizations have much to lose from being hit with DDoS attacks.

“The business impacts of DDoS are many and this year the top reported issues are operational expense, reputation damage and revenue loss,” Sockrider said. “Other impacts include employee turnover, stock price fluctuation and loss of executives.”

The report notes that data centers have become a big target – more than a third of data center operators experienced DDoS attacks that exhausted internet bandwidth, and 44 percent said they experienced revenue losses as a result of DDoS attacks.