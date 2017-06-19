As DDoS attacks grow in prevalence and size, Dan Raywood explores whether protection is keeping pace with a threat that has already trapped some of the biggest targets across the globe

The distributed denial of service (DDoS) attack is a modern capability to silence an opponent. If that opponent is a government, a business, a journalist or even a rival, the provision is there to stop the other entity from existing, even just for a short while.

From the beginnings of DDoS, with the 1996 attack on the Public Access Networks Corporation (Panix) ISP, the 2007 DDoS attacks that hit Estonia and the Anonymous campaigns against those who would not provide financial support to Julian Assange and WikiLeaks, DDoS is a weapon of choice for the modern activist who chooses to silence those who do not support the same cause.

For some time, the DDoS attack was about megabytes of traffic. The turning point was the attack on Spamhaus in 2013, which reportedly measured 300 Gbps. Described as the “attack that almost broke the internet” by CloudFlare, it changed the face of DDoS to what we know now in terms of size and capability. Now, according to Akamai’s Fourth Quarter, 2016 State of the Internet Report, attacks greater than 100 Gbps increased 140% year-on-year from Q4 2015.

It also reported that the largest DDoS attack in Q4 2016, which peaked at 517 Gbps, came from Spike, a traditional botnet that has been around for more than two years. Add to this the attack on DNS provider Dyn in September that was measured at 1.2 Tbps, and the attack a day earlier on the website of security journalist Brian Krebs which was measured at 620 Gbps.

Putting aside the Spamhaus attack, which was an anomaly for its time, the sudden rise in size of DDoS attacks has come as a surprise. Krebs claimed that the attack that took his website offline was “according to Akamai, nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the internet has ever witnessed.”

In the case of the attack on Dyn, this was a Name Server DDoS attack, where attackers focused on name servers to prevent web addresses from resolving. According to Igal Zeifman, security evangelist at Imperva for the Incapsula product line, this is accomplished by using DNS floods against servers, or by attacking the network infrastructure of DNS service providers. He claims that the “significant increase in attack sizes over the past 18 months” has seen them swell to half a terabit per second.

Are We Keeping Up?

If attacks have suddenly increased, is the protection keeping pace? Neustar’s Barrett Lyon, who previously founded ‘always-on’ DDoS protection vendor Prolexic, says the problem is not with technology, as that generally remains the same, but more about how high you can push the defenses.

Speaking to Infosecurity, Sean Newman, director of product management for Corero Network Security, explains that DDoS has been driven by amplification attacks from when attackers realized that they could abuse the protocols that make the internet work, and turn a small amount of traffic into a large amount of traffic.

“Apart from Mirai, pretty much all of the big attacks have been driven by amplification and reflection techniques, which were using and abusing protocols like DNS, or NTP”, he says.

Newman said that DDoS attacks abusing network time protocol (NTP) can deliver an attack up to 1000-times of the traffic being sent to the target, if the attacker can find an open server with that sort of capability. “We still see DNS get used and it is a 50+ multiplier, but nothing like with NTP.”

Asked whether he feels there has been a sudden increase in the size of attacks and if the capability has always been there, he says he is not convinced that there has been an increase in capacity, but just that DDoS “came back into fashion.

“Over time bandwidth has gone up so you need more power for the attack in the first place,” he argues. “Go back 20 years and computers were much less powerful, so it would be hard to generate enough power.”