Larger, more complex, financially motivated DDoS attacks on the rise

DDoS attacks are becoming increasingly larger, more complex, and perpetrated by cyber extortionist instead of hacktivists and vandals, the results of Arbor Networks’ 11th Annual Worldwide Infrastructure Security Report have revealed.

The report was compiled based on the responses of 354 security professionals and network operators from Tier 1 and Tier 2/3 service providers, hosting and mobile service providers, managed service and cloud service providers, and enterprises from around the world, and the data covers November 2014 through November 2015.

Top 5 DDoS Trends

The largest attack reported by a respondent was 500 Gbps, with others reporting attacks of 450 Gbps, 425 Gbps and 337 Gbps. In the 11 years of this survey, the largest attack size has grown more than 60X.

56 percent of respondents reported multi-vector attacks that targeted infrastructure, applications and services simultaneously, up from 42 percent last year. 93 percent reported application-layer DDoS attacks. The most common service targeted by application-layer attacks is now DNS (rather than HTTP).

Targets of application-level attacks

This year the top motivation was not hacktivism or vandalism but ‘criminals demonstrating attack capabilities,’ something typically associated with cyber extortion attempts. Among these are the antics of the Bitcoin extortionist group DD4BC, which has recently been hit by European law enforcement.

DDoS attack motivations

Two years ago, 19 percent of respondents saw attacks targeting their cloud-based services. This grew to 29 percent last year, and now to 33 percent this year – a clear upward trend. In fact, 51 percent of data center operators saw DDoS attacks saturate their Internet connectivity. There was also a sharp increase in data centers seeing outbound attacks from servers within their networks, up to 34 percent from 24 percent last year.

Firewalls continue to fail during DDoS attacks: More than half of enterprise respondents reported a firewall failure as a result of a DDoS attack. As stateful and inline devices, firewalls add to the attack surface and are prone to becoming the first victims of DDoS attacks as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

What are service providers and enterprises doing to protect themselves and their customers?

To respond to these threats, 57 percent of enterprises are looking to deploy solutions to speed the incident response processes. Among service providers, one-third reduced the time taken to discover an Advanced Persistent Threat (APT) in their network to under one week, and 52 percent stated their discovery to containment time has dropped to under one month.

The companies are also improving their incident response – 75 percent have developed formal incident response plans, and dedicated at least some resources to respond to such incidents.

Still, they are more and more reliant on outside support: 50 percent of enterprises and 40 percent of service providers have contracted an external organization for incident response. Within service providers, 74 percent reported seeing more demand from customers for managed services.