Related Links

Related Stories

  • RSA Europe 2012: DDoS Attacks Used as Diversion Technique
    DDoS attacks are being used as a component in the newly emerged multi-flank attacks, Symantec’s deSouza told his audience at RSA Europe 2012 in London, 09 October 2012.
  • An analysis of DDoS attack methodologies
    What stands out most from Imperva’s new analysis of DDoS attack methodologies, is that DDoS is easy, growing in use and probably more prevalent than commonly perceived.
  • What the Anonymous attacks on MI5 and MI6 tell us
    As Infosecurity reported yesterday, both the MI5 and MI6 websites were attacked by Anonymous in the name of OpFreeAssange. Both sites were down for about an hour, demonstrating that few sites can withstand a concerted DDoS attack.
  • DDoS and the collateral damage of hacktivism
    Hacktivism cuts both ways. The biter gets bit, and a war evolves. Where there is war, there are weapons. And where there are weapons, there is collateral damage. There is a hacktivist war around Julian Assange, between his detractors and his defenders – and there is collateral damage.
  • Security vendor Prolexic uncovers vulnerability in hacker toolkit
    Security vendor Prolexic has turned the tables on cybercriminals and exposed a vulnerability in the Dirt Jumper toolkit used to launch distributed denial of service (DDoS) attacks against corporate networks.

Top 5 Stories


The DDoS threat continues to increase – 20 Gbps no longer uncommon

18 October 2012

In Q3 2012 the average size of a DDoS attack increased by around 11% to 4.4 Gbps, the average duration rose slightly from 17 to 19 hours, and the total number of attacks declined by 14%.

These are the main findings of the latest Prolexic analysis of DDoS attacks. Despite the slight rise in the duration of the attacks and fall in the number of attacks, the company believes this is a temporary blip that doesn’t alter the general trend of more frequent and more powerful, but shorter lasting attacks. For example, although the total number of attacks was down slightly from Q2 2012, it still shows an increase of 88% over Q3 2011. Similarly, although the duration increased from 17 hours to 19 hours, it is down from 33 hours in Q3 2011.

The year on year comparison is most startling, however, in the attack bandwidth: the latest figures show an annual increase of 230%. In fact, during Q3 2012 Prolexic dealt with seven separate attacks in excess of 20 Gbps. “Last year, a DDoS attack in excess of 20 Gigabits per second was notable, but today it seems commonplace,” commented Stuart Scholly, president of Prolexic. “To put this in perspective, very few enterprises in the world have a network infrastructure with the capacity to withstand bandwidth floods of this size.”

One interesting feature of the last quarter was a distinct spike during week 9/9, which alone accounted for 41% of September’s total attacks and 15% of the quarter’s attacks. Prolexic makes no comment on whether the anniversary of 9/11 may be the cause, despite US sourced attacks increasing from less than 9% in Q2 to more than 27% in Q3. It does, however, suggest that the surprise inclusion of the UK at number 8 in the top ten DDoS source countries (with 3.69% of the total) may have something to do with the London Olympics. China remains the leading source country with its overall percentage increasing slightly from 33.75% in Q2 to 35.46% in Q3 (but down from 55.2% in Q3 2011).

Layer 3 and Layer 4 infrastructure DDoS attacks were by far the most popular class of attack in the last quarter, accounting for around 80% of the total. Application Layer 7 attacks made up the remainder. The five most frequent attack methods were SYN floods (23.53%), UDP floods (19.63%), ICMP floods (17.79%), GET floods (13.50%), and UDP fragment floods (9.00%). However, Prolexic also observed some uncommon attack types during this period, including SYN PUSH, FIN PUSH, and RIP floods. “In the attacks Prolexic mitigated, RIP floods were utilized in a reflection attack,” said Scholly. “RIP is a legacy routing protocol not typically used as a DDoS attack vector. The inclusion of unexpected protocols in attack campaigns highlights the continued evolution and threat of DDoS toolkits.”

The total number of tracked attack types now stands at 18. “What this illustrates,” added Scholly, “is the continued desire of attackers to search for new ways to deliver payloads against targets and bypass standard mitigation techniques.”

This article is featured in:
Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×