DDoS Attack Volume Skyrockets in Q1

2013 saw a rapid increase in network distributed denial of service (DDoS) attack volumes, which was facilitated by the adoption of attack methods like network time protocol (NTP) ampli?cation and large SYN ?oods. According to first-quarter statistics, that trend is set to continue, with additional application-layer botnet DDoS attacks ramping up too—to the tune of a 240% increase in traffic.

Large-scale is the name of the game for network-based DDoS. According to research from Incapsula, almost one in every three network-based DDoS attacks is above 20Gbps.
“As early as February 2013 we were able to track down a single-source 4Gbps attacking server, which – if ampli?ed – could alone have generated over 200Gbps in attack traf?c,” the company said in its report. “With such available resources it is easy to explain the uptick in attack volume we saw over the course of the year.”
The report noted that network-based attacks (Layer 3 & 4) were mainly caused by large SYN floods, which account for 51.5% of all large-scale attacks. That said, tactics could be changing: NTP re?ection was the most common large-scale attack method in February 2014.
A majority (81%) of network attacks are multi-vector threats, which increase the attacker’s chance of success by targeting several different networking or infrastructure resources. Almost 39% of attacks are using three or more different attack methods simultaneously. A combination of normal SYN ?ood and large SYN ?oods is the most popular multi-vector attack, accounting for 75% of them, the report found.
“Combinations of different offensive techniques are also often used to create ‘smokescreen’ effects, where one attack is used to create noise, diverting attention from another attack vector,” Incapsula said. “Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators.”
Meanwhile, unlike network DDoS attacks, application (Layer 7) attack sources can’t hide behind spoofed IPs. Instead, they resort to using Trojan infected computers, hijacked hosting environments and Internet-connected devices. Large groups of such compromised resources constitute a botnet; a remotely controlled “zombie army” that can be used for DDoS attacks and other malicious activities.
On average, Incapsula recorded over 12 million unique DDoS bot sessions on a weekly basis in the first quarter of the year, which represents an alarming 240% increase in bot traffic over the same period in 2013. About a fifth (21%) of botnets attack more than 50 targets a month.
More than 25% of all botnets are located in India, China and Iran.
“DDoS bots are designed for infiltration,” the report said. “To that end, spoofed user-agents are often used to bypass low-level filtering solutions, based on the assumption that these solutions will not filter out bots that identify themselves as search engine or browsers.”
The top five most commonly spoofed user-agents are Baidu and Googlebot impersonators, and variants of Microsoft IE browsers. When combined, these appear to be responsible for almost 85% of all malicious DDoS bot sessions.
And finally, in terms of emerging threats, the report also said that “hit-and-run” DDoS attacks, which were ?rst documented in April 2013, are part of another parallel trend of attacks that were speci?cally designed to exploit vulnerabilities in DDoS protection services and human IT operators.
“These attacks, which rely on frequent short bursts of traf?c, are speci?cally designed to exploit the weakness of services that were designed for manual triggering (e.g., GRE tunneling to DNS re-routing),” Incapsula said. “Hit-and-run attacks are now changing the face of anti-DDoS industry, pushing it towards always-on integrated solutions.”