Wise to attackers’ exploitation of the Network Time Protocol (NTP) vulnerability to create distributed reflection denial of service (DrDoS) attacks, information security executives thwarted these types of amplified assaults by patching weaknesses or making upgrades in their systems associated with the protocol, causing an 86 percent drop in the peak bit volume of NTP DrDoS attacks to 59 gigabits per second (Gbps) in Q2 2014.
In contrast, traditional multi-vector attacks against servers and websites have resurfaced as the most frequent, severe threat to enterprises and service providers, with a 140 percent increase in TCP SYN and HTTP GET types of attacks in the same period. Enterprises and operators are cautioned to protect against SYN flood attacks, which, although smaller in size, are highly effective and difficult to stop without purpose-built commercial DDoS mitigation hardware or services.
That warning was issued today via the Q2 2014 Threat Report by Black Lotus, which covers DDoS attack data between April 1 and June 30, 2014, shows that the company’s customers experienced a drop in the volume of total attacks by 40 percent, and attacks characterized as severe (having high traffic levels) decreased by 15 percent.
Beginning in March 2014, the patched or upgraded servers and diminishing returns of NTP DrDoS attacks that malicious parties encountered led to a drastic decrease in the maximum attack size quarter-over-quarter. Unlike the NTP DrDoS vector from Q1 2014, SYN floods target the service port, which makes it impossible to request assistance from upstream IP carriers or to block the attack on one’s own router.
Black Lotus expects attackers will continue to use DrDoS attacks whenever possible, resorting to non-amplification attacks when there are not enough vulnerable systems available to exploit.
The report findings also show that:
- The largest DDoS attack observed during the report period was on May 20. It was 59 Gbps and 29 millions of packets per second (Mpps), a sharp decline in volume due to NTP and other variants of amplification attacks becoming more difficult to execute after enterprises patched their systems.
- Of the 276,447 observed attacks, Black Lotus regarded 46,936 (17 percent) of them as severe, characterized by extreme traffic levels compared to the target’s typical traffic baseline.
- The average attack during the period reported was 2.9 Gbps and 1.4 Mpps, consistent with the previous quarter, indicating that networks must maintain a DDoS mitigation defense capable of at least 5 Gbps to safely defend against the majority of attacks.
- During the reporting period, 70.3 percent of severe attacks targeted servers and applications, most commonly HTTP servers and domain name services (DNS). Attacks on either application can result in site outages and are difficult to mitigate without professional assistance.