Arbor Networks’ ATLAS® Data Shows Reflection DDoS Attacks Continue to be Significant in Q3 2014
October 2014 by Arbor Networks
Arbor Networks Inc. released global DDoS attack data for Q3 2014 showing a remarkable increase in Simple Service Discovery Protocol (SSDP) reflection attacks. Arbor monitored very few attacks using SSDP as a reflection mechanism in Q2, but nearly 30,000 attacks with this source port in Q3 alone, with one such attack reaching 124Gbps. The data confirms what Arbor has called The Hockey Stick Era, with a continuing trend towards large volumetric attacks, a consistent theme throughout 2014.
Arbor’s data is gathered through ATLAS, a collaborative partnership with nearly 300 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects statistics that represent 90Tbps of Internet traffic and provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas.
“Everyone is aware of the huge storm of NTP reflection DDoS attacks in Q1 and early Q2, but although NTP reflection is still significant there isn’t as much going on now as there was – unfortunately, it is looking more and more like SSDP will be the next protocol to be exploited in this way. Organizations should take heed and ensure that their DDoS defense is multi-layered, and designed to deal with both attacks that can saturate their connectivity, and more stealthy, sophisticated application layer attacks,” said Arbor Networks Director of Solutions Architects Darren Anstee.
DDoS in Q3 2014 — ATLAS key findings:
Significant growth in use of SSDP for reflection attacks in Q3; 4% of all attacks and 42% of all attacks greater than 10Gbps appeared to use SSDP reflection in Q3.
NTP reflection attacks still significant, but continuing to fall away proportionally (post the Q1 storm); however, over 50% of all attacks greater than 100Gbps were still NTP reflection attacks.
Very large volumetric attacks far more frequent than in the past, with 133 attacks over 100Gbps this year so far.
Average monitored attack in Q3 was 858.98Mbps; peak attack of 264.6Gbps. Q3 saw 16.5% of all attacks above 1Gbps, up from 15.3% in Q2. Proportion of events lasting less than 1 hour is gradually increasing, now at 91.2%
Ranking sources for events larger than 10Gbps: U.S. (7.6%), China (5.9%), Brazil (1.1%)
Ranking destinations for events larger than 10Gbps: U.S. (17.6%), France (10.8%), Denmark (8.4%)