The number of distributed denial-of-service attacks jumped significantly in 2013, and dealing with them was not cheap, according to a new report from Neustar.
In a survey of 450 companies in North America across various verticals, 60 percent reported experiencing a DDoS attack in 2013, up from just 35 percent in 2012. Generally, these attacks were shorter: 77 percent reported the attacks lasted less than a day, compared to 63 percent in 2012. Less than two percent reported the attacks lasting a week, compared to 13 percent in 2012.
That doesn’t mean the price tag wasn’t hefty in 2013. Fourteen percent of companies said a DDoS outage would mean losses of between $50,000 and $100,000 per hour, while 29 percent said it would be $100,000 or more per hour.
“DDoS attacks create an ‘all hands on deck’ mentality, and the potential for damage is high as criminals take advantage of the distraction to grab and clone private data to tap into funds, intellectual property and more,” said Rodney Joffe, senior vice president and senior technologist at Neustar, in a statement. “Businesses should look out for shorter, more intense attacks without the traditionally expected extortion or policy demands. It is critical that they protect themselves by dedicating staff to watch entry systems during attacks, making sure everything is patched and having dedicated DDoS protection.”
Almost 90 percent of the companies that were attacked were hit repeatedly, and 55 percent of DDoS targets were also victims of theft – either of funds, customer data or intellectual property. While the attack duration is down, the number of attacks between one and five Gbps shot up nearly three times compared to 2012, Neustar found. DDoS attacks of more than 10 Gbps dropped by half however, from five percent in 2012 to 2.4 percent last year.
That bit of good news may not last however. According to Black Lotus, new distributed reflected denial-of-service (DrDoS) threats could lead to attacks in excess of 800 Gbps during the next 12 to 18 months.
“At the beginning of January 2014, attackers began leveraging NTP DrDoS attacks to launch massive, debilitating attacks against targets of all sizes with attacks peaking at 421 Gbps in February 2014, the largest attack ever recorded,” according to Black Lotus’ Q1 2014 threat report. “The OPEN NTP Project has successfully reduced the amount of hosts complicit in these attacks through awareness campaigns, which has resulted in service and application layer attacks against websites once again becoming the dominant DDoS threat.”
“This data indicates that attackers prefer to use DrDoS attacks to take advantage of vulnerable services which use the UDP protocol, such as DNS and NTP, but are unable to launch these attacks consistently,” the report continues. “While DrDoS attacks are the largest, most devastating attacks currently in existence an attacker must rely on thousands of vulnerable servers to amplifying and relay the attacks. When groups like The OPEN NTP Project create awareness campaigns it serves to reduce the amount of vulnerable servers and prevents attackers from consistently launching DrDoS attacks. As a result the attackers must resort to the tried and true method of attacking web servers directly using methods such as TCP SYN and HTTP GET attacks for which many companies do not have organic filtering capabilities and can be launched by attackers without relying on vulnerable UDP services.”
Researchers at Black Lotus predict that reflection attacks against UDP services such as DNS, NTP, SNMP and other protocols will continue to pose a threat to service providers, enterprises and their upstream carriers. While NTP DrDoS has tapered off, attackers are currently seeking other UDP services that can be used as a DrDoS vector.
“Black Lotus expects that new amplification conditions will be discovered resulting in a potential for DDoS attacks exceeding 800 Gbps in the next 12 – 18 months,” according to the report. “Until attackers are able to achieve this level of volume they will continue to target servers and web applications using SYN and HTTP GET floods which remain devastating for those which do not employ effective on-site DDoS mitigation or employ the services of DDoS mitigation and web application security providers.”
“Historically, service providers have been able to operate without providing substantial security services to customers,” said Jeffrey Lyon, founder of Black Lotus, in a statement. “That’s no longer viable, as threats proliferate and attackers find new ways to amplify the volume of their efforts.”