Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

DDoS Attacks Getting Bigger, Report Finds

Distributed denial-of-service attacks have become a staple in the arsenal of cyber attackers, and new research shows the average size of a DDoS attack is on the rise.

According to security firm Arbor Networks, nearly half (46.5%) of attacks are now larger than 1 Gbps, an increase of 13.5% from 2012. In the first half of this year, there has been more than double the total number of attacks of more than 20 Gbps than there were in all of last year. In addition, the proportion of attacks in the 2- to 10-Gbps range has more than doubled as well, from 14.78% to 29.8%.

More Insights


More >>

White Papers

More >>


More >>

Arbor's findings are based on traffic data the company collected anonymously from more than 270 service providers.

"The fact that an average attack is now over the 2-Gbps threshold means that it can saturate the Internet connectivity of a high proportion of businesses," Darren Anstee, solutions architect at Arbor Networks, said in an interview.

This increase in size can be attributed to a number of factors, he added.

"Internet connectivity and the capabilities of computers have increased, meaning that individual compromised hosts can generate more attack traffic. And there are many botnets with significant capability out there," Anstee said. On the other hand, many businesses have upgraded their Internet connectivity, which has led to attackers having to generate more attack traffic to achieve their goals."

Chris Camejo, security consulting director with IT consultancy Integralis, said services that are likely to be targeted by DDoS attacks-such as public Web pages or customer-facing services--should not be located on the same network as other business-critical systems unless robust DDoS protection measures are in place.

However, there's a fundamental problem with a certain DDoS protection technique, he said. Camejo and Allison Nixon, who does pen testing and incident response at Integralis, plan to present a talk outlining fundamental flaws in cloud-based DDoS protection this week at the Black Hat security conference. According to Camejo, the core underlying issue is that DDoS protection services --or any other service that relies on DNS redirection in order to hide a server on the Internet -- can be bypassed if the IP address of the hidden server can be found.

"This has been a known issue and what we are bringing to the table is a number of methods for identifying the hidden servers, as well as a script that can be used as a last resort to locate hidden servers by brute-force searches of entire IP ranges,up to and including the whole Internet," he told Network Computing.

One of the techniques for unmasking the hidden IP addresses is looking up related domain names and checking services that maintain historical DNS records. In some cases, DDoS protection services will actually drop into a bypass mode, directing traffic back to the hidden IP address if the DDoS attack exceeds a certain threshold. In addition, servers themselves can leak the hidden IP address information in HTTP authorization headers, overly helpful error messages or exposed configuration files, Camejo said. Essentially, anyone using a DNS-redirect based protection service is likely to be vulnerable, he added.

[See what else security researchers are up to this week in "9 Technologies Security Researchers Will Break At Black Hat"]

"In-line and BGP routing-based DDoS protection services are not vulnerable to these techniques as they do not rely on keeping a public IP address secret and these are our preferred methods of mitigating these techniques," he said. "Unfortunately, there are requirements around both of these--a minimum IP range size for BGP routing and bandwidth capacity for in-line filtering--that many smaller companies may not be able to afford."

As for general tips to mitigate DDoS, Arbor's Anstee suggests that organizations using online services restrict access to only the protocols and ports that are required, using hardware ACLs at the edge of the network.

"Avoid putting devices that maintain per session state at your network border, as these can be targeted by attacks--and when they fail, everything behind them in your network will become unreachable from the Internet," he said.

Related Reading

Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013

TechWeb Careers