The weaponization of Internet of Things (IoT) botnets helped fuel a 60% increase in the size of distributed denial of service (DDoS) attacks last year, Arbor Networks reports.
The largest of DDoS attack in 2016 peaked at 800 Gbps (gigabit per second), compared to only 500 Gbps in 2015, Arbor Networks’ 12th annual Worldwide Infrastructure Security Report (WISR) reveals. Over the past 5 years, the size of DDoS attacks went up 1,233%, but experienced a 7,900% increase when compared to the attacks registered in 2005.
According to the report, 558 of the DDoS attacks observed last year were over 100 Gbps (as opposed to 223 in 2015), while 87 of them exceeded 200 Gbps (only 16 did in 2015). With an average attack size up 23% year-on-year, the security firm estimates that we’ll see it reaching 1.2 Gbps by the end of 2017.
The emergence and weaponization of IoT botnets such as Mirai and Bashlite has resulted in a massive growth in DDoS attack size, revealing the raw power of IoT devices. An attack launched by the LizardStresser IoT botnet against Brazilian banks, telecoms and government last summer reached 400 Gbps without using any form of amplification or reflection, the security firm says.
“In 2016, IoT botnets emerged as a source of incredibly high volume DDoS attacks. So far these massive attacks have not leveraged reflection/amplification techniques. They are simply taking advantage of the sheer number of unsecured IoT devices that are deployed today,” the company notes in an infographic (PDF).
However, the increased attack activity on all reflection amplification protocols too has driven DDoS attack size upwards: used properly, reflection amplification allows attackers to multiply attack traffic by hundreds of times. In 2016, DNS was the most commonly used reflection protocol, with NTP close behind, with SSDP, Chargen and SNMP also showing a significant increase in usage. The use of Chargen has experienced the fastest growth year over year, Arbor Networks says.
In addition to growing in size, DDoS attacks have also increased their frequency, and the “chances of being hit by a DDoS attack have never been higher,” the security firm says. Of the 356 service providers responding to the firm’s survey, 53% said they experienced more than 51 attacks per month last year, up from only 44% saying the same about 2015.
The WISR also reveals that 45% of enterprise, government and education respondents experienced more than 10 attacks per month. Last year, 21% of data-centers saw more than 50 attacks per month, although only 8% of them said the same a year before.
Following a trend first noticed in 2015, the complexity of DDoS attacks grew as well last year, fueled by booter/stresser services and the use of multiple simultaneous attack vectors. Application-layer attacks were extensively used, with 95% of service provider respondents registering at least one. These attacks targeted mainly services such as DNS, HTTP and secure web services (HTTPS).
According to Arbor Networks’ report, 67% of service providers and 40% of Enterprise, Government and Education (EGE) registered multi-vector attacks on their networks last year. In 2015, 56% of service providers reported seeing multi-vector attacks, with only 42% reporting the same the year before.
The emergence of massive DDoS attacks fuelled by Mirai illustrated the importance of a good DDoS protection strategy, given that one of these incidents brought down many popular services. Thus, 61% of service providers experienced attacks that fully saturated data center bandwidth, while 78% reported increased demand for DDoS managed services as the increase in attack size drew the attention of the C-suite and Board of Directors.
The report reveals that, for 25% of respondents, the cost of a major DDoS attack was north of $100,000, while 5% noted costs in excess of $1 million. When it comes to EGE respondents, 41% reported attacks exceeding their total Internet capacity, and nearly 60% estimated downtime costs above $500/minute, with some indicating much greater expense.
“As we have seen in this year’s report, attackers have used IoT devices to build and weaponize massive botnets of unprecedented size and capability. Volumetric DDoS attacks have not only reached new highs in terms of overall size, but have also increased in frequency. But, IoT botnets aren’t the only game in town. Reflection/amplification DDoS attacks have also continued to see widespread use as a tried-and-tested method for generating huge volumes of attack traffic. In addition, easy-to-use DDoS services have helped make more sophisticated multi-vector DDoS attacks increasingly common,” the report reads.
