BURLINGTON, Mass.--(BUSINESS WIRE)--Arbor Networks Inc., the security division of NETSCOUT (NASDAQ: NTCT), today released global distributed denial-of-service (DDoS) attack data for the first six months of 2016, which shows a continuing escalation in both the size and frequency of attacks.
Arbor’s data is gathered through the Active Threat Level Analysis System (ATLAS™), a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas. ATLAS data has also been utilized recently in Cisco’s Visual Networking Index Report and the Verizon Data Breach Incident Report.
GLOBAL DDOS ACTIVITY
DDoS remains a commonly used attack
type due to the ready availability of free tools and inexpensive online
services that allow anyone with a grievance and an internet connection
to launch an attack. This has led to an increase in the frequency, size
and complexity of attacks in recent years.
ATLAS has recorded:
- An average of 124,000 events per week over the last 18 months.
- A 73% increase in peak attack size over 2015, to 579Gbps.
- 274 attacks over 100Gbps monitored in 1H 2016, versus 223 in all of 2015.
- 46 attacks over 200Gbps monitored in 1H 2016, versus 16 in all of 2015.
- USA, France and Great Britain are the top targets for attacks over 10Gbps.
As Arbor’s Security Engineering & Response Team (ASERT) recently documented, large DDoS attacks do not require the use of reflection amplification techniques. LizardStresser, an IoT botnet was used to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, internet service providers (ISPs) and government institutions. According to ASERT, the attack packets do not appear to be from spoofed source addresses – and no UDP-based amplification protocols such as NTP or SNMP were used.
WHEN AVERAGE IS A PROBLEM
A 1 Gbps DDoS attack is large
enough to take most organizations completely offline.
- Average attack size in 1H 2016 was 986Mbps, a 30% increase over 2015.
- Average attack size is projected to be 1.15Gbps by end of 2016.
“The data demonstrates the need for hybrid, or multi-layer DDoS defense,” said Darren Anstee, Arbor Networks chief security technologist. “High bandwidth attacks can only be mitigated in the cloud, away from the intended target. However, despite massive growth in attack size at the top end, 80% of all attacks are still less than 1Gbps and 90% of attacks last less than one hour. On-premise protection provides the rapid reaction needed and is key against “low and slow” application-layer attacks, as well as state exhaustion attacks targeting infrastructure such as firewalls and IPS.”
A TIME FOR REFLECTION
Reflection amplification is a
technique that allows attackers to both magnify the amount of traffic
they can generate, and obfuscate the original sources of that attack
traffic. As a result, the majority of recent large attacks leverage this
technique using DNS servers, Network Time Protocol (NTP), Chargen and
Simple Service Discovery Protocol (SSDP).
As a result, in 1H 2016:
- DNS is the most prevalent protocol used in 2016, taking over from NTP and SSDP in 2015.
- Average size of DNS reflection amplification attacks is growing strongly.
- Peak monitored reflection amplification attack size in 1H 2016 was 480Gbps (DNS).
About Arbor Networks
Arbor Networks, the security division
of NETSCOUT, helps secure the world’s largest enterprise and service
provider networks from DDoS attacks and advanced threats. Arbor is the
world’s leading provider of DDoS protection in the enterprise, carrier
and mobile market segments, according to Infonetics Research. Arbor
Networks Spectrum™ advanced threat solution delivers complete network
visibility through a combination of packet capture and NetFlow
technology, enabling the rapid detection and mitigation of attack
campaigns, malware and malicious insiders. Arbor strives to be a “force
multiplier,” making network and security teams the experts. Our goal is
to provide a richer picture into networks and more security context so
customers can solve problems faster and reduce the risks to their
business.
To learn more about Arbor products and services, please visit our website at arbornetworks.com or follow on Twitter @ArborNetworks. Arbor’s research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.
Trademark Notice: Arbor Networks, the Arbor Networks logo and ATLAS are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.