A new report from Verisign on distributed denial-of-service attacks showed that the number of distributed denial-of-service [DDoS] attacks exceeding 10 Gbps grew substantially between the second and third quarters of the year.
According to the Verisign report, the number of attacks 10 Gbps and above jumped by 38 percent from the second quarter, and represented more than 20 percent of all attacks in Q3.
Attackers were persistent in launching attacks against targeted customers, averaging more than three separate attempts per target, according to the report. The most frequent target of attacks was the media and entertainment industry, which represented more than 50 percent of all mitigation activity. The largest observed attack was 90 Gbps and was experienced by an e-commerce company.
“This attack was a pulsing User Datagram Protocol (UDP) flood employed in short bursts of 30 minutes or fewer,” Verisign noted in a blog post announcing the report. “It consisted primarily of Network Time Protocol (NTP) reflective amplification attack traffic. This activity was aimed at disrupting the critical online commerce capability of the customer and was successfully mitigated by Verisign.”
When compared to Q1, the average attack size increased in Q3 by 65 percent. Network Time Protocol (NTP) continues to make up the majority of UDP-based reflective amplification attacks, with a shift to SSDP [Simple Service Discovery Protocol] during the quarter. Last month, researchers at Akamai Technologies issued a warning about attackers leveraging SSDP to launch attacks that amplify and reflect traffic to their targets.
“Though the amplification it generates is smaller than that possible with DNS or NTP reflection attacks, SSDP attacks still have the capability to overwhelm organizations that are using traditional security appliances to protect their assets,” according to the report. “Consistent with other reflective amplification attacks, malicious actors will spoof the source IP when making an SSDP request to target a victim. For most organizations, SSDP implementations should not need to be open to the Internet. In this case, ingress queries from the Internet targeting this protocol can be blocked at the network edge to protect from this particular vector. Verisign recommends an audit of internal assets, including outbound network flows to ensure that your organization is not being unknowingly leveraged in SSDP-based DDoS attacks.”