The latest DDoS attacks are mostly multi-vector and morph over time

DDoS attacks continue to be an effective means to distract and confuse security teams while inflicting serious damage to brands, according to Neustar.

Also, when comparing Q1 2019 vs. Q1 2018, the company has registered a 200 percent increase of attacks on directly provisioned customers.

Report findings

The largest attack size observed by them in Q1 2019 was 587 Gbps in volume, and the longest duration for a single attack was nearly a day and a half.

DDoS attacks Q1 2019

Other interesting tidbits from the company’s latest cyber threats and trends report include:

  • Compared to the number from Q1 2018, there has been a 257% increase in attacks 5 Gbps and below and a 967% increase in attacks 100 Gbps and higher.
  • The majority of attacks in this period were 25 Gbps and below
  • The average attack intensity has decreased from 3.9 mpps (million packets per second) in Q1 2018 to 3.7 mpps in Q1 2019.

Multi-vector attacks dominate

77% of all the attacks Neustar mitigated in Q1 2019 used two or more vectors (roughly the same percentage as in Q1 2018), and none of the top attacks the company mitigated used only a single vector.

DDoS attacks Q1 2019

These different attack vectors include:

  • Volumetric attacks at Layer 3 or 4 (network and transport), which work by “flooding” targets with too much traffic
  • Protocol attacks, which are meant to overwhelm routers, firewalls, or load balancers within the target’s network (by exhausting their processing power). They are often limited in size to avoid detection and wreak damage for a long time.
  • Application layer attacks (Layer 7), in which attackers target servers, applications or APIs (e.g., Slowloris).

In this period Neustar also witnessed a new type of volumetric attack generally described as “carpet bombing.”

“Rather than aiming at a single IP address, this attack was instead directed at complete Classless Inter-Domain Routing (CIDR) blocks, or subnets,” the company noted. “By using DDoS methods aimed completely at subnets, rather than specific IP addresses, an attack is often more difficult to detect and mitigate. These attacks often feature multiple vectors and will switch between them as they migrate from subnet to subnet.”

Carpet bombing attacks are also often used by attackers as a smokescreen to hide an attack against a single target.