DDoS attacks are continuing to grow in scale and frequency, and are increasingly being used to disguise other forms of cybercrime.
According to Arbor Network’s tenth Worldwide Infrastructure Security Report (WISR), the peak attack size seen on the internet in 2014 was around 400Gbps, up significantly from the 309Gbps reported in 2013.
These are massive volumes of traffic and, luckily, attacks of this magnitude are fairly rare – but what is interesting is how common large attacks have become.
Looking at data from Arbor’s ATLAS system, for 2013 there were 39 attacks over 100Gbps, mainly toward the end of the year. In 2014 that number grew to 159 – a huge jump. These large attacks have predominantly been generated using a variety of reflection amplification techniques, leveraging DNS, NTP or SSDP.
DNS reflection amplification has been a key way for attackers to generate large DDoS attacks for many years, but 2014 saw attackers adopt NTP and SSDP in a big way and they are just two of the protocols that offer reflection amplification capabilities – so we may well see others being used this year to generate more large attacks.
What is especially concerning about the proliferation of these large volumetric attacks is the possibility of collateral damage within service provider or data-centre networks.
Large attacks can cause slowdowns and service outages for multiple customers, and significant proportions of enterprises and data-centre operators, over a third in each case, reported attacks which saturated their Internet connectivity in this year’s WISR.
The increased awareness around this and, unfortunately, experience is driving an increase in demand for service provider and cloud-based DDoS protection services, again seen in the data from the WISR as they are needed to deal with high-magnitude attacks ideally as a part of a layered solution.
Secondly, DDoS attacks are increasingly being used as part of broader attack campaigns. Many people associate DDoS with ideological hacktivism and online gaming as attacks in these areas have seen a lot of press coverage.
What is interesting, though, is that DDoS is increasingly being used as a ‘tool’ by attackers to distract security teams, either from data theft or financial fraud.
In this year’s WISR, 19% of service provider respondents saw distraction from data-theft as a common or very common motivation behind attacks – and numerous other studies have also called this out recently.
Organisations need to be aware that a DDoS attack can be an indicator that something else is afoot and should raise their security posture accordingly, especially if there is no other obvious motive for attack.
Finally, this year we will almost certainly continue to see large organisations that have invested in multiple layers of security being breached. 2014 saw an unprecedented number of organisations lose huge amounts of data, and 2015 looks to be continuing that trend.
>See also: The 2015 cyber security roadmap
The US health insurer Anthem’s recent breach is an example of this. The traditional perimeter-focused, event-driven security processes are simply not cutting it against the tools and persistence of today’s bad actors.
Organisations need to find tools that allow them to speed up the process of investigating an alert, so that security teams can improve their coverage. This year will also start to see more organisations augmenting their traditional event-driven IR processes with a hunting function that proactively looks for threats targeting critical assets. This has been talked about for a while now but is starting to gain more momentum, especially in larger organisations.
We don’t know for certain what will happen this year, but organisations can learn from what others have seen. By making sure they keep up to date on the threats that are out there and understanding how available solutions and resources can be best used to address those threats, they can minimise risks. Nothing is guaranteed, but knowledge is power in the fight against cyber threats.