These are the main findings of the latest Prolexic analysis of DDoS attacks. Despite the slight rise in the duration of the attacks and fall in the number of attacks, the company believes this is a temporary blip that doesn’t alter the general trend of more frequent and more powerful, but shorter lasting attacks. For example, although the total number of attacks was down slightly from Q2 2012, it still shows an increase of 88% over Q3 2011. Similarly, although the duration increased from 17 hours to 19 hours, it is down from 33 hours in Q3 2011.
The year on year comparison is most startling, however, in the attack bandwidth: the latest figures show an annual increase of 230%. In fact, during Q3 2012 Prolexic dealt with seven separate attacks in excess of 20 Gbps. “Last year, a DDoS attack in excess of 20 Gigabits per second was notable, but today it seems commonplace,” commented Stuart Scholly, president of Prolexic. “To put this in perspective, very few enterprises in the world have a network infrastructure with the capacity to withstand bandwidth floods of this size.”
One interesting feature of the last quarter was a distinct spike during week 9/9, which alone accounted for 41% of September’s total attacks and 15% of the quarter’s attacks. Prolexic makes no comment on whether the anniversary of 9/11 may be the cause, despite US sourced attacks increasing from less than 9% in Q2 to more than 27% in Q3. It does, however, suggest that the surprise inclusion of the UK at number 8 in the top ten DDoS source countries (with 3.69% of the total) may have something to do with the London Olympics. China remains the leading source country with its overall percentage increasing slightly from 33.75% in Q2 to 35.46% in Q3 (but down from 55.2% in Q3 2011).
Layer 3 and Layer 4 infrastructure DDoS attacks were by far the most popular class of attack in the last quarter, accounting for around 80% of the total. Application Layer 7 attacks made up the remainder. The five most frequent attack methods were SYN floods (23.53%), UDP floods (19.63%), ICMP floods (17.79%), GET floods (13.50%), and UDP fragment floods (9.00%). However, Prolexic also observed some uncommon attack types during this period, including SYN PUSH, FIN PUSH, and RIP floods. “In the attacks Prolexic mitigated, RIP floods were utilized in a reflection attack,” said Scholly. “RIP is a legacy routing protocol not typically used as a DDoS attack vector. The inclusion of unexpected protocols in attack campaigns highlights the continued evolution and threat of DDoS toolkits.”
The total number of tracked attack types now stands at 18. “What this illustrates,” added Scholly, “is the continued desire of attackers to search for new ways to deliver payloads against targets and bypass standard mitigation techniques.”