Attacks/Breaches

3/15/2018
08:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Are DDoS Attacks Increasing or Decreasing? Depends on Whom You Ask

Details on DDoS trends can vary, depending on the reporting source.

Distributed denial-of-service (DDoS) attacks remain unpredictable and dangerous for enterprises, but actual details on how the threat is evolving can differ substantially by the reporting source.

Two reports released this week, one by Verisign and the other from Nexusguard, are good examples. Both vendors reported a general increase in multivector attacks and an overall decrease in the number of DDoS attacks in the fourth quarter of 2017 compared to the prior quarter but differed on the details based on data gathered from their customer engagements.

Nexusguard reported a 12% decrease in DDoS attacks between the fourth quarter of 2016 and the same quarter in 2017, and a more than 16% drop in attacks between the third and fourth quarters last year. Verisign pegged the decrease in DDoS attacks during the same period at a somewhat higher 25% and said the number of attacks has continued to decrease from quarter to quarter.

Nexusguard says multivector, blended threats represented some 56% of recorded attacks last quarter while single-vector attacks accounted for just over 43%. Two-vector attacks — such as those combining UDP and DNS — accounted for nearly 33% of all multivector accounts, while three-vector attacks accounted for about 15%, according to Nexusguard.

Verisign, meanwhile, says a massive 82% of the DDoS attacks it mitigated in the fourth quarter of last year employed multiple attack types. While Nexusguard had two-vector attacks as the most common multivector attack type, Verisign says 46% of multivector attacks it encountered involved five or more attack types.

The largest DDoS attack that Verisign dealt with last quarter topped out at 53 Gbps, while Nexusguard said the largest one it encountered weighed in at over 231 Gbps. Both vendors had roughly the same estimates for average peak attack sizes, with a substantial proportion falling under 10 Gbps. Verisign, however, noted a 32% year-over-year decrease in the average of attack peak sizes.

For Nexusguard, one key takeaway from its observations last quarter was the sharp increase in amplification attacks involving DNSSEC-enabled servers. Nexusguard says the number of DNS reflection attacks in the fourth quarter of 2017 soared nearly 110% over the preceding quarter, while DDoS attacks using DNS amplification increased nearly 358% compared with the fourth quarter of 2016.

The decrease in DDoS attacks during the fourth quarter of 2017 that both Verisign and Nexusguard reported is somewhat at odds with report from other vendors. Martin McKeay, global security advocate and lead author of Akamai's recently released State of the Internet Security Report, for instance, says DDoS attack volumes have only increased over the past few years.

"Akamai saw an almost identical number of attacks in Q4 2017 vs. Q3 2017, though the number of attacks had grown by 14% since the same time in 2016," he says. "From what we've seen, the number of attacks has been relatively steady quarter over quarter recently, and has grown significantly year over year for as long as we've been tracking the count of attacks."

The same is true of attack sizes, he says. "While we'd seen a general downward trend throughout 2016 in the median size of attacks from slightly over 1 Gbps, that trend changed in the second half of the year, to climb back to a median attack size of 750 Mbps," he says.

Similarly, Akamai has not seen a significant increase in attacks involving DNS- and DNSSEC-enabled domains. McKeay says DNS and DNSSEC have been a component of approximately 25% of the attacks Akamai has seen for several years.

Ashley Stephenson, CEO of Corero, has similar views on DDoS trends and says he hasn't seen anything to suggest a recent decline in number of attacks. Like McKeay, Stephenson says Corero hasn't observed the sharp increase in DNSSEC amplification attacks that Nexusguard reported, though he agrees that multivector attacks have become more common.

The differences in reports, according to Stephenson, have a lot to do with how and where the data is captured and even with how different organizations define DDoS attacks. For an organization in the online gaming industry, for instance, traffic of something in the 500 Mbps to 1 Gbps range could be enough to constitute a DDoS attack. "An attack of that size is not going to be significant to a large financial institution or a bank that has a large data center," and probably wouldn't be counted as a DDoS attack.

Average attack size can also often be misleading, says McKeay. In many cases, one or two large attacks can easily throw reporting out of balance, which is why it is better to track median attack size instead, he says. "Large attacks, or a lack of, can easily skew an average attack-size metric, making the number unreliable."

Where the attack is measured can make a big difference as well. Attacks that are measured close to the source will be substantially larger than attacks that are measured close to the destination or target — sometimes by a 10-to-1 factor, Stephenson says.

A content delivery network, for instance, might measure the source of an attack, but the reality is that a lot of the traffic at the source will never get to the destination, he says. Similarly, a service provider might report on DDoS traffic from somewhere in the middle, away from the source and the destination, and the numbers they observe will be different from the numbers at the destination. So, while you might have terabits of data at the origin, what comes out at the other end of the funnel can be much smaller, Stephenson says.

"Ultimately, if you are an enterprise you have to be most concerned about what impacts you," Stephenson says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12242
PUBLISHED: 2018-09-19
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to an authentication bypass exploit, which is a type of issue that can allow attackers to potentially circumvent security mechanisms currently in place and gain access to the system or network.
CVE-2018-12243
PUBLISHED: 2018-09-19
The Symantec Messaging Gateway product prior to 10.6.6 may be susceptible to a XML external entity (XXE) exploit, which is a type of issue where XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack uses file URI schemes or relative paths i...
CVE-2018-14792
PUBLISHED: 2018-09-19
WECON PLC Editor version 1.3.3U may allow an attacker to execute code under the current process when processing project files.
CVE-2018-16607
PUBLISHED: 2018-09-19
Cross-site scripting (XSS) vulnerability in the Orgs Page in Open-AudIT Professional edition in 2.2.7 allows remote attackers to inject arbitrary web script via the Orgs name field.
CVE-2018-16785
PUBLISHED: 2018-09-19
XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 version, which can be utilized by attackers to create script file to obtain webshell