While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 Gbps during the next 12 to 18 months.
That prediction is according to a new threat report by Black Lotus, which covers DDoS attack data between January 1 and March 31, 2014. It shows that service providers have been heavily impacted by security threats, including SQL injection attacks, NTP DrDoS attacks, and most recently Heartbleed. All of these threats have had profound effects on the ability of service providers to safely operate and protect their customers.
During the first quarter of 2014, novice attackers used DrDoS methods to bypass the DDoS defenses of well-prepared companies by targeting upstream carriers directly.
In January 2014, Black Lotus recorded several incidents in which tier 1 carriers in multiple U.S. regions were saturated due to DrDoS attacks, resulting in packet loss as high as 35 percent to customers that were not even targeted by the attacks. By February, the same carriers were better prepared for attacks that exceeded 400 Gbps, and they were able to stabilize their networks with minimal interruption to downstream customers.
Greater awareness of NTP DrDoS is critical, but service providers will have to add protections as attackers grow more sophisticated and attacks become more severe.
The report findings also show that:
- The largest DDoS attack observed during the report period was on February 10. It was 421 Gbps and 122 millions of packets per second (Mpps).
- Of the 463,621 observed attacks, Black Lotus regarded 90,313 (19.5 percent) of them as severe, characterized by an extreme traffic levels compared to the target’s typical traffic baseline.
- The average attack during the period reported was 2.7 Gbps and 1.8 Mpps.
- During the reporting period, 50.3 percent of severe attacks targeted individual applications, most commonly HTTP servers and DNS. Attacks on either application can result in site outages and are difficult to mitigate without professional assistance.
Ameen Pishdadi, CTO at GigeNET, comments: “We have seen a significant increase in the size of attacks. Typically, we see attacks in the 1-5 Gb/s range; lately these attacks on average were around 20-30Gb/s. Some of the larger attacks were well over 100Gbp/s. However these attacks and sizes have slowed down significantly, as the operators of networks have finally decided to plug their NTP server holes, thus significantly reducing the amount of exploitable machines out there and in turn, the size of attacks have normalized again.”
“Historically, service providers have been able to operate without providing substantial security services to customers. That’s no longer viable, as threats proliferate and attackers find new ways to amplify the volume of their efforts,” said Jeffrey Lyon, founder of Black Lotus. “To protect themselves and their customers, service providers must now also become security providers by offering integrated hosting and security services such as DDoS mitigation, intrusion defense, incident response and remediation.”