Arbor Networks,a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks, has released its Q1 2015 global DDoS attack data that shows a continuation of extremely high volume attacks, including the largest attack ever recorded by Arbor’s ATLAS threat intelligence infrastructure, a 334Gbps attack targeting a network operator Asia. In Q1 2015, there were 25 attacks larger than 100Gbps globally.
In the past year, Arbor has documented a dramatic increase in DDoS activity. The majority of recent very large attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world.
Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. This technique relies on two unfortunate realities: firstly, many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address; secondly, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated.
Arbor’s data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects statistics that represent 120Tbps of Internet traffic and provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas.
Other global Q1 2015 DDoS attack stats of note:
- An example of how attackers are constantly changing their techniques, SSDP reflection attacks are up dramatically year-over-year: 126,000 monitored in Q1 2015 versus 3 reported in Q1 2014
- Attacks are shorter but pack a punch: Majority of attacks are short-lived, approximately 90% last less than 1 hour
“Attacks that are significantly above the 200Gbps level can be extremely dangerous for network operators and can cause collateral damage across service provider, cloud hosting and enterprise networks,” said Darren Anstee, Director, Solutions Architects, for Arbor Networks. “DDoS attacks continue to evolve. Not only have volumetric attacks grown significantly in size and frequency over the past 18 months, application-layer attackers are also still pervasive. In order to deal with the full scope of the modern DDoS threat we strongly recommend a multi-layered defense, one that integrates on-premise protection against application-layer attacks with cloud-based protection against higher magnitude Volumetric attacks. Only then is an organization fully protected from DDoS attacks today.