Akamai Publishes Prolexic Q1 2014 Global DDoS Attack Report
Attackers are shifting away from traditional botnet-based distributed denial of service (DDoS)attacks in favor of other techniques to launch larger attacks, Akamai Technologies said in its latest report.
In the first quarter of 2014, attackers continued the trend of relying less on botnets and more on various reflection and amplification techniques to launch DDoS attacks, Akamai researchers found in its Prolexic Q1 2014 Global DDoS Attack Report, released Thursday. Attackers are taking advantage of new toolkits available on underground marketplaces that make it easier to launch DDoS campaigns without a lot of technical knowledge or having to infect a large number of computers to create a zombie network.
Additionally, there are more DDoS attacks happening, according to Akamai. The report showed a 47 percent increase compared to the same period last year, as well as an 18 increase from the previous quarter. The attacks are also getting larger, as the average attack bandwidth increased 39 percent compared to the previous quarter and average peak bandwidth also more than doubled. However, despite getting larger, the average duration of a DDoS attack dipped somewhat to 17 hours. A year ago, attacks on average lasted 35 hours, and the previous quarter was 23 hours.
The largest-ever DDoS attack mitigated by Prolexic, now a division of Akamai after its 2013 acquisition, occurred during the first quarter of 2014, with peak traffic of more than 200 Gbps and 53.5 Mbps. The attack used multiple reflection techniques combined with a traditional botnet based application attack, Akamai said.
The newer toolkits abuse Internet protocols available on open or vulnerable servers and devices, Akamai said. “We believe this approach can lead to the Internet becoming a ready-to-use botnet for malicious actors,” said Stuart Scholly, a senior vice-president and general manager of security at Akamai.
The most abused protocols during the first quarter were Character Generator (CHARGEN), Network Time Protocol (NTP), and Domain Name System (DNS). They are all based on the User Datagram Protocol (UDP) and may be popular because the protocols allow attackers to cover their tracks and hide their identities, Akamai said in its report. It’s worth noting that the NTP flood method accounted for less than 1 percent of all DDoS attacks observed by Prolexic in the fourth quarter of 2013, but jumped to become as popular as SYN flood attacks, the most common type of DDoS attack, during the first quarter of 2014. In fact, CHARGEN and NTP attacks were not even on the radar a year ago, but accounted for 23 percent of all infrastructure attacks in the first quarter of 2014, Akamai found.
NTP stands for Network Time Protocol, which runs over port 123 and is used to synchronize clocks between machines on a network.
Amplification-based attacks need only a relatively small output from the source to deliver a massive flood of data at the target, Akamai said. Attackers don’t need to worry about renting, or building up, a massive botnet if they use this technique.
New tools popping up on the DDoS-as-a-service marketplace also have a lot to do with why the number of attacks using reflection techniques increased over the last few months. These attack tools are making high-volume infrastructure-based attacks possible. These kits are likely the primary reason for the growth in NTP reflection attacks, Akamai said. More than half of the DDoS attack traffic during the first quarter targeted the media and entertainment industry, Akamai found.
According to a March 2014 threat report from Black Lotus, NTP attacks now represent the most serious threat to the availability of public networks, with 40 percent of the serious attacks measured by the DDoS protection firm being NTP-based attack types.
Content delivery and web security firm Cloudflare experienced an NTP Amplification-based attack that topped 400Gbs against its infrastructure in late February when attackers targeted one of its customers.