DDoS Attacks Getting Bigger, Report Finds
July 31, 2013
Distributed denial-of-service attacks have become a staple in the arsenal of cyber attackers, and new research shows the average size of a DDoS attack is on the rise.
According to security firm Arbor Networks, nearly half (46.5%) of attacks are now larger than 1 Gbps, an increase of 13.5% from 2012. In the first half of this year, there has been more than double the total number of attacks of more than 20 Gbps than there were in all of last year. In addition, the proportion of attacks in the 2- to 10-Gbps range has more than doubled as well, from 14.78% to 29.8%.
- OpenStack: Blueprint for Deployment Success
- Datacenter Modernization: How Customers are Standardizing in Preparation for the Future
White PapersMore >>
Arbor's findings are based on traffic data the company collected anonymously from more than 270 service providers.
"The fact that an average attack is now over the 2-Gbps threshold means that it can saturate the Internet connectivity of a high proportion of businesses," Darren Anstee, solutions architect at Arbor Networks, said in an interview.
This increase in size can be attributed to a number of factors, he added.
"Internet connectivity and the capabilities of computers have increased, meaning that individual compromised hosts can generate more attack traffic. And there are many botnets with significant capability out there," Anstee said. On the other hand, many businesses have upgraded their Internet connectivity, which has led to attackers having to generate more attack traffic to achieve their goals."
Chris Camejo, security consulting director with IT consultancy Integralis, said services that are likely to be targeted by DDoS attacks-such as public Web pages or customer-facing services--should not be located on the same network as other business-critical systems unless robust DDoS protection measures are in place.
However, there's a fundamental problem with a certain DDoS protection technique, he said. Camejo and Allison Nixon, who does pen testing and incident response at Integralis, plan to present a talk outlining fundamental flaws in cloud-based DDoS protection this week at the Black Hat security conference. According to Camejo, the core underlying issue is that DDoS protection services --or any other service that relies on DNS redirection in order to hide a server on the Internet -- can be bypassed if the IP address of the hidden server can be found.
"This has been a known issue and what we are bringing to the table is a number of methods for identifying the hidden servers, as well as a script that can be used as a last resort to locate hidden servers by brute-force searches of entire IP ranges,up to and including the whole Internet," he told Network Computing.
One of the techniques for unmasking the hidden IP addresses is looking up related domain names and checking services that maintain historical DNS records. In some cases, DDoS protection services will actually drop into a bypass mode, directing traffic back to the hidden IP address if the DDoS attack exceeds a certain threshold. In addition, servers themselves can leak the hidden IP address information in HTTP authorization headers, overly helpful error messages or exposed configuration files, Camejo said. Essentially, anyone using a DNS-redirect based protection service is likely to be vulnerable, he added.
[See what else security researchers are up to this week in "9 Technologies Security Researchers Will Break At Black Hat"]
"In-line and BGP routing-based DDoS protection services are not vulnerable to these techniques as they do not rely on keeping a public IP address secret and these are our preferred methods of mitigating these techniques," he said. "Unfortunately, there are requirements around both of these--a minimum IP range size for BGP routing and bandwidth capacity for in-line filtering--that many smaller companies may not be able to afford."
As for general tips to mitigate DDoS, Arbor's Anstee suggests that organizations using online services restrict access to only the protocols and ports that are required, using hardware ACLs at the edge of the network.
"Avoid putting devices that maintain per session state at your network border, as these can be targeted by attacks--and when they fail, everything behind them in your network will become unreachable from the Internet," he said.