DDoS attacks grow stronger in Q2 2015, report shows

Distributed denial-of-service (DDoS) attacks grew stronger in the second quarter of 2015.

According to the latest findings by Arbor Networks, 20.8 percent of DDoS attacks were greater than 1 Gbps in Q2 of this year, which represents a steady increase over the 17.7 percent in the first quarter of 2015 and the 16 percent in all of 2014. Additionally, 8.7 percent of attacks in Q2 2015 were larger than 1 Mpps, which is up from 5.7 percent in this year's first quarter and 5.4 percent in 2014.

In June alone, the security firm observed 390 events reaching between 50 and 100 Gbps, most of which were SYN flood attacks with spoofed source addresses and random source ports, Gary Sockrider, principal security technologist with Arbor Networks, told in a Thursday email correspondence. Those attacks targeted the U.S. and Canada 75 percent of the time.

Sockrider named two reasons why large DDoS attacks continue to grow.

“The first is sheer network capacity,” Sockrider said. “As global network capacity grows, so does the ability to carry out these attacks. After all, attacks can't be delivered without sufficient infrastructure in place. Second, attackers have been carrying out reflection amplification attacks with increased success over the last year. At first the protocol of choice to exploit was NTP, but in the last few quarters the vector has shifted to exploiting SSDP.”

Despite the shift, Arbor Networks observed only 84,000 SSDP attacks in the second quarter of this year, which represents a fairly significant decrease over the 126,000 observed in the first quarter of 2015. While Sockrider said the drop is likely due to defenders having a greater awareness of SSDP attacks, the findings still show that the average attack size for SSDP – as well as DNS, NTP, and Chargen reflection amplification – all increased in Q2 2015.

Sockrider explained that, altogether, SYN floods and reflection amplification techniques are most observed in volumetric attacks, while web services such as HTTP, DNS and HTTPS “dominate” application layer attacks.

When it comes to mitigating the threat posed by DDoS attacks, Sockrider said that “defenses should always be layered with a combination of purpose built, on-premise equipment to provide early warning and deep packet inspection combined with upstream network based protection to handle volumetric attacks.”

Also in the report: Arbor Networks observed 51 attacks larger than 100 Gbps so far in 2015, compared to 159 in all of 2014.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.