New records are set for DDoS attacks every year it seems, and 2018 is no different.
Average attack size has grown and attackers are finding better ways of amplifying their impact, according to the NETSCOUT Threat Intelligence Report 1H 2018.
The report highlights DDoS attack trends and statistics, and much of its data is from the company’s Active Threat Level Analysis System (ATLAS).
ATLAS participants include about 90% of tier 1 service providers and its data represents about one-third of all internet traffic, according to the report.
With such a rich set of data to mine, what gems did researchers uncover? Find out below.
When a massive DDoS attack hit code-hosting site Github on Feb. 28, traffic peaked at 1.3 terabytes per-second, setting a new record for attack size.
The record was broken five days later.
On Mar. 5, a US-based “wired telecommunication carrier” received a massive wave of traffic hitting 1.7 terabytes per second and shattering the previous record by nearly a third.
Two years ago, the record was less than half this size, set by an attack that knocked out the BBC’s website and hit 602 gigabytes per second.
Memcached / Memcrashed
Both the 2018 attacks leveraged misconfigured Memcached systems for amplification.
Memcached is an open-source caching utility used to accelerate load times on networks and websites.
Though not intended as a public utility, at the time of the attacks, about 17,000 servers were shown to have Memcached publicly exposed and vulnerable.
In an attack, the victim’s UDP address is spoofed on requests sent to vulnerable Memcached servers. This triggers an exponentially greater response sent to the intended victim.
A 15-byte request can trigger a response of 750KB, according to research by Cloudflare, who first reported the spike attacks.
That’s an amplification factor of 50,000X.
At the time of the attacks, the report’s authors note about 17,000 servers were found with vulnerable Memcached deployments. Thankfully, by June, more than 95% of were resolved and only 550 remained.
Telecommunications providers and cloud hosting services were the most targeted for DDoS attacks in the first half of 2018, according to the report.
Note that the record-breaking DDoS attack described above hit a US-based company in the first vertical shown below.
Wired Telecommunications Carriers
Data Processing, Hosting, Etc.
Wireless Telecommunications Carriers
Though not in the top five, the ecommerce vertical is seeing more attacks this year with “electronic shopping & mail-order houses” coming in at number-seven spot on the report’s top 10.
Also, an organization in the “non-traditional telecommunications” vertical, which came in at number eight on the list, suffered an attack peaking at 600 Gbps. This is several-hundreds of Gbps larger than the top attacks in all other verticals except one.
When two-record setting attacks are recorded nearly back-to-back, you can expect a jump in the average attack size for the period.
DDoS attacks were 37% larger on average in the first six months of 2018 compared to the same period last year, according the report.
The number of attacks peaking greater than 300 Gbps jumped by more than 500%, up from just 7 in the first half of 2017 to 47 in 2018.
Unfortunately, the report does not list the average size, just the increase.
But Verisign’s DDoS Trends Report, published earlier this year, lists average peak DDoS attack size at 11.2 Gbps. Note: the two reports are based on very different data.
While the record-breaking attacks mentioned earlier helped fuel the growth in average attack size, they were not the only contributing factors.
Attacks peaking over 300 Gbps, 400 Gbps, and 500 Gbps were far more common in the first half of 2018 than the year prior, as shown in the chart below.
Of the 47 attacks peaking at over 300 Gbps, nearly 75% (35 total) were against systems in the Asia Pacific region, according to the report.
While attacks continue to grow stronger, the report also has good news.
The number of DDoS attacks declined 13% in the first half of 2018 compared the same period last year.
While not a huge percentage, the report suggests more than 400,000 DDoS attacks are recorded every month worldwide. A 13% drop across six months equates to tens-of-thousands fewer attacks this year.
DDoS Attacks 101: Types, targets, and motivations
Top 8 Network Attacks by Type in 2017
3 Common DNS Attacks and How to Fight Them