Verisign Distribution Denial of Service Trends, observed attack trends from October through December (Q4) 2016. These trends include attack statistics, behavioural trends and future outlook. Observations and insights about attack frequency and size obtained from mitigations on behalf of customers from Verisign DDOS Protection Services and insights from iDefense Security Intelligence Services.
Verisign observed the following key trends in Q4 2016:
- Number of attacks- 5% decrease from Q3 2016
- Increase of 167% in average attack peak size from 2015 to 2016
- Peak attack size – (volume) 127 Gigabits per second, (Speed) 50 million packets per second
- Most common attack mitigated- 52% of attacks were user datagram protocol tools 86% attacks employed multiple attack types
- Average peak attack size-11.2 gbps ( 11% decrease compared to Q3 2016), 22% of attacks over 10 Gbps and 52% of attacksover 5 Gbps
DDoS attacks remains complex and unpredictable, requiring human intervention and expertise along with technical safeguards for mitigation. Attackers in Q4 2016 launched sustained and repeated attacks against their targets. 50% of customers attacked in this quarter were targeted multiple times. The overall Average Attack Peak Size in 2016 was larger than previous years. Verisign observed an average attack peak size of 16.1 gbps in 2016, a 167 % increase from 2015. 86% of the DDOS attacks mitigated by Verisign in Q4 2016 employed multiple attack types indicating that DDOS attacks continue to remain complex and require continued monitoring for optimum mitigation strategies.
UDP flood attacks continue to dominate in Q4 2016, making up 52 % of total attacks in the quarter. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) reflection attacks.
The largest and highest intensity DDoS attack observed by Verisign in Q4 2016 was a multi-vector attack that peaked at over 125 Gbps and around 50 Mpps. The attack was notable because attackers were persistent, sending attack traffic on a daily basis for almost an entire month. The attack consisted of DNS Reflection traffic and Internet Control Message Protocol (ICMP) traffic and the attackers switched periodically to TCP SYN and TCP Reset floods peaking at approximately 70 Gbps and 50 Mpps. The attack also included floods of IP fragments to increase the volume of the attack.
DDOS attacks against public sector has drastically increased. In Q4 2016, public sector customers experienced the second highest number of DDoS attacks among the Verisign DDoS Protection Services customer base (32 % of total attacks). This is the highest percentage of DDoS attacks that Verisign has observed against Verisign public sector customers since the inception of the Verisign DDoS Trends Report in Q1 2014. Customers in the IT Services/Cloud/SaaS industry continue to have the largest number of DDoS attacks in Q4 2016.
Mitigations on Behalf of Verisign Customers by Industry for Q4 2016 :
- IT Services/Cloud/SaaS
Ø 49% of mitigations
Ø 16.3 Gbps remains the average attack size
- Public Sector
Ø 32% of mitigations
Ø 6.9 Gbps remains the average attack size
- Financial
Ø 7% of mitigations
Ø 10.4 Gbps remains the average attack size
- Media and Entertainment content
Ø 6% of mitigations
Ø 25.5 Gbps remains the average attack size
- Telecommunications and other sectors
Ø 4% of mitigations
Ø 15.8 Gbps remains the average attack size
- E-commerce and online advertising
Ø 2% of mitigations
Ø 1.3 Gbps remains the average attack size
Market Landscape: The Botnet Ecosystem
Launching a DDoS attack is much more accessible to attackers owing to the rise of cloud computing, cheap hosting, readily available bandwidth and open-source attack tools. From low-skilled teenagers aiming to cheat while playing online games to cybercriminals looking to supplement their income by renting out their botnets for opportunistic attacks, the DDoS-for-hire market is booming.
Botnets utilized in DDoS attacks vary greatly in size and potency, from as small as a dozen compromised computers to as large as over one million devices Botnets are comprised of computers, smartphones, servers, routers, printers and even IoT devices like networked refrigerators. With more devices continuously connected to the internet, the available pool of devices that could be used as botnets has increased. Attackers can now rapidly identify and leverage thousands of compromised devices and harness their bandwidth to launch DDoS attacks that can overwhelm even the most prepared networks.
Mitigating DDoS attacks by Botnets
Since most DDoS-for-hire services frequently share similar characteristics, identifying popular DDoS techniques can help companies mitigate and defend against a variety of DDoS attacks. However, there still is a human element involved. Since most DDoS attacks are concerted efforts by live attackers to bring down a network, many of the attacks start out as one type of attack, but then morph into something new or different. Consequently, organizations need to have access to a high level of expertise and experience in combatting these complex hybrid DDoS attacks. Having a solution that includes monitoring of traffic behaviour, the ability to defend against not only network, but also application layer attacks, and the flexibility to transfer large attack traffic to a cloud-based DDoS provider can help to alleviate dangerous threats and costly attacks