DDoS attack size up 50-fold over past decade
29 January 2015 | 0
The size of the largest DDoS attack was 50 times larger last year than 10 years ago, according to a new survey of Internet service and hosting providers, and attacks are also increasing in numbers and in sophistication.
The largest reported attack last year was 400Gb/s, compared to just 8Gb/s in 2004 – and 100 Gb/s in 2010.
“The growth is not straight line,” said Gary Sockrider, solutions architect at Burlington, Mass.-based Arbor Networks, Inc. and the author of the report. “It’s more of a hockey stick.”
By comparison, the total bandwidth of the entire Internet grew 42-fold over the same period, according to data from Cisco, from an average of 570Gb/s in 2004 to 24,000Gb/s in 2014.
The growth of the Internet as a whole actually helps the attackers, Sockrider said, since the botnets can get larger.
“They have to come from somewhere,” he said.
But the number of defending organisations is also growing, and the bandwidth available to DDoS targets isn’t expanding at the same pace.
“There are not too many places on the planet where 400Gb/s of Internet traffic is aggregated in one location,” said Sockrider.
About two-thirds of the data centre operators who took part in this year’s survey said that they had DDoS attacks – and 33% said the attacks exhausted their Internet bandwidth.
“But the bigger story is the massive increase in very large attacks,” he said. “In 2013, we saw less than 40 attacks that were more than 100Gb/s. In 2014, we saw 159 individual attacks over 100Gb/s, and five attacks over 200Gb/s.”
The attacks are also growing in sophistication, he said.
Ten years ago, volumetric attacks dominated. Today, there are also state exhaustion attacks and application layer attacks, as well as attacks that combine all three vectors.
“The result is to keep you down longer and make it harder to defend against attacks,” said Sockrider.
The purpose of the attacks has also changed, though the top three motivations have stayed the same over the past few years: politics and ideology, vandalism, and online gaming.
“It speaks to how easy these attacks have become to perpetrate,” he said. “We actually see instances where online gamers will DDoS the gaming infrastructure just to gain a competitive advantage in playing and winning an online game.”
But the use of DDoS attacks as a diversion to cover up for other types of malicious activity has been growing, as has extortion and marketing.
For example, he said, DDoS attacks are increasingly seen in combination with advanced persistent threat campaigns.
“The campaign may have been doing on for a long time, but at the point where they’re ready to exfiltrate the data – the DDoS attack comes,” he said. “It’s used as a diversion or distraction, so you don’t notice that they’re extracting the data.”
Extortion has moved up on the list, accounting for 20% of attack motivations this year, up from 15% last year.
Even more attacks – 28% – are motivated by the criminals using them for marketing, to demonstrate their capabilities to would-be customers.
“Organisations that offer DDoS for hire are giving free trials,” Sockrider said. “They’ll take someone down for five minutes just to prove that they can.”
DDoS attacks are also used to manipulate financial markets, to hurt competing businesses, or in disputes between rival criminal gangs.