Security Experts:

DDoS Attacks Shorter, But Pack More Punch: Reports

Arbor Networks, a provider of network security and management solutions, has released its data on distributed denial of service (DDoS) attack trends for the first half of 2013.

According to Arbor, the average attack size has jumped 43 percent so far this year, with 46.5 percent of attacks now topping 1Gbps. The average DDoS Attack Size was 2.7Gbps in June, Arbor said.

Interestingly, recent trends show that DDoS attacks are not lasting as long. DDoS attack durations are trending shorter, with 86 percent now lasting less than one hour, according to Arbor’s data. Additionally, the Packets Per Second (PPS) attacks size seem to be trending downward, reversing the strong growth trend seen in late 2011 and through 2012, Arbor said.

The proportion of attacks in the 2 - 10Gbps range has more than doubled, from 14.78 percent to 29.8 percent. The proportion of attacks over 10Gbps increased 41.6 perecent YTD.

While monitoring the destination ports targeted by DDoS attacks, Arbor noticed another massive trend shift.

“While HTTP (port 80) continues to be the most popular, TCP fragmentation attacks (port 0) are up from about 10% last year to nearly 25% this year,” Arbor’s Gary Sockrider noted in a blog post. “That’s about two and a half times more so far this year. TCP fragmentation attacks are nothing new but it does demonstrate the attackers are constantly changing attack vectors in an effort to evade expectations.” 

Arbor’s data comes from its ATLAS Internet monitoring system which is based on a partnership with more than 270 service providers who share anonymous traffic data with the security firm. The data, which Arbor says totals 35Tbps, is enhanced by Arbor's global honeypot network of more than 45 sensors.

Akamai also acknowledged a trend in shorter but more powerful DDoS attacks.

“The attack patterns that we have been witnessing are more frequent and shorter burst DDoS attacks,” Dave Lewis, security evangelist at Akamai told SecurityWeek. “A large portion of these attacks are attributed to the Izz ad-Dim al-Qassam Cyber Fighters (aka QCF). The QCF tends to attack a target for 10 minutes at a time and if there is no appreciable effect they will move to another target. Conceivably they can attack 20 different targets in a day with results that can last for hours in some cases. "

Just last week, QCF announced the fourth phase of its ongoing campaign of attacks against U.S. financial institutions, known as Operation Ababil. Radware has released an attack report (PDF) about the planned fourth stage of OpAbabil, which provides information on expected attack methods/tools, attackers' communication channels, and more. 

Akamai Technologies, which recently released its First Quarter, 2013 State of the Internet Report, said it saw a total of 208 DDoS attacks across its customer base, up slightly from the 200 reported in the previous quarter. Breaking down the attacks, Akamai said 35 percent targeted Enterprise customers; 32 percent were focused on Commerce customers; 22 percent on Media customers; 7 percent on High Tech customers; and 4 percent targeted Public Sector customers.

"The increasing volume of highly visible attacks, including a mix of politically motivated attacks, state-sponsored electronic warfare, social activism, organized crime, and good old fashioned pointless mischief and mayhem is being driven by the easy availability of bots/botnets for hire and easily distributed crowd-sourced attack tools," Jeff Wilson, principal network security analyst with Infonetics Research, said in a statement.

"What we see on a daily basis is an escalation in the size, frequency and complexity of attacks,” said Darren Anstee, Solutions Architect for Arbor Networks. “The resiliency of this attack vector is incredible, and with all of the tools available today that enable anyone to launch or participate in attacks, we don't see a slow down at all."

Related ReadingU.S. Banks Back Under DDoS Fire

Related Reading: That DDoS Attack is Closer Than You Think

Related Reading: New DirtJumper Variant Packs Supercharged DDoS Engine

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.