Akamai recently released the Prolexic Q1 2014 Global DDoS Attack Report. What follows are some of the key points, including a 114-percent increase in the average peak bandwidth of attacks.
Attackers chose reflection versus infection techniques to achieve larger DDoS attacks and the results were significant. The media and entertainment industry bore the brunt of that 114-percent increase in peak DDoS bandwidth.
That one industry received 54 percent of the malicious packets blunted by the Prolexic team. From the report:
Prolexic has observed the most abused protocols to be Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS). These protocols, which are all based on the User Datagram Protocol (UDP), may be favored as they allow attackers to hide their identity. In addition, amplification-based attacks can deliver a massive flood of data at the target while requiring only a relatively small output from the source.
New reflection and amplification attack tools can deliver a powerful punch. Q1 saw a 39 percent increase in average bandwidth and the largest-ever DDoS attack to cross the Prolexic DDoS mitigation network. This attack involved multiple reflection techniques combined with a traditional botnet-based application attack to generate peak traffic of more than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second).
"In Q1, DDoS attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques, a trend Prolexic has been seeing for some time," said Stuart Scholly, senior vice president and general manager of Security at Akamai Technologies. "Instead of using a network of zombie computers, the newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. We believe this approach can lead to the Internet becoming a ready-to-use botnet for malicious actors."
Compared to Q1 2013
- 47 percent increase in total DDoS attacks
- 9 percent decrease in average attack bandwidth
- 68 percent increase in infrastructure (Layer 3 & 4) attacks
- 21 percent decrease in application (Layer 7) attacks
- 50 percent decrease in average attack duration: 35 vs. 17 hours
- 133 percent increase in average peak bandwidth
Compared to Q4 2013
- 18 percent increase in total DDoS attacks
- 39 percent increase in average attack bandwidth
- 35 percent increase in infrastructure (Layer 3 & 4) attacks
- 36 percent decrease in application (Layer 7) attacks
- 24 percent decrease in average attack duration: 23 vs. 17 hours
- 114 percent increase in average peak bandwidth
The report notes how innovation in the DDoS marketplace gave rise to tools that maximized damage with fewer resources.
NTP reflection attacks surged, accounting for less than 1 percent of all attacks in the prior quarter to reaching nearly the same popularity as SYN flood attacks, a long-time favorite among the bad guys.
Meanwhile, neither CHARGEN nor NTP attack vectors were detected in Q1 2013 but accounted for 23 percent of all infrastructure attacks in Q1 2014.