DDoS Attacks: Growing, but How Much?


While distributed denial of service (DDoS) attacks have been around since the late 1990s, they have picked up in volume and intensity over the past year.

The largest DDoS on record hit the Internet at the end of March. A pair of studies released this week from Arbor Networks and Akamai Technologies further reinforces the notion that DDoS is a growing threat, depending on how you interpret the data.

DDoS Getting Bigger

According to Arbor, at the end of the first quarter of 2013 the average size of DDoS attacks was 1.77 Gbps, which is a 19.5 percent increase over the same period in 2012. Larger attacks are also growing, with DDoS incidents delivering packet floods in the 2 to 10 Gbps range now representing 21.5 percent of all attacks, up from 15 percent a year ago.

While DDoS attack size is rising, Arbor reports that 62.4 percent of attacks are still less than 1 Gbps. Considering that many large enterprises and data centers have Internet connections of 10 Gbps or more, you might think that a DDoS of 1 Gbps is not a problem. As it turns out, that's not the case.

"The fact that the majority of attacks are less than 1 Gbps in size does not mean that if you have sufficient bandwidth and firewall/IP blocking rules, then you are all set," Carlos Morales, VP of global sales engineering and operations, told eSecurity Planet.

While policy-based blocking mechanisms at the edge of the network are part of the solution, Morales said, they don’t handle many application layer, protocol or connection attacks that can take down services with a smaller amount of traffic. To handle these types of attacks, Morales suggested, you require an intelligent DDoS mitigation system deployed on-premise to block these threats. Examples of attacks that use up very little bandwidth, evade firewalls and take down servers include the Apache Killer, Slowloris and R-U-Dead-Yet (RUDY) attacks.

200 Percent Increase?

One of the most surprising DDoS statistics to emerge this week came from the quarterly State of the Internet Report (SOTI) from Akamai Technologies. According to the report, DDoS attacks in the fourth quarter of 2012 were up by 200 percent over 2011.

Unlike Arbor, Akamai does not report on DDoS size, only on the number of attacks.

"I don’t have specific information on whether the 2012 attacks were 'larger' in terms of traffic than the 2011 attacks," said David Belson, author of the Akamai report.

Additionally, the 200 percent increase in DDoS is not necessarily an indicator of what is going on in the broader marketplace outside of Akamai's customer base. Belson said the data set is self-selecting.

"It's attacks where customers engaged us for assistance," he explained. "In some cases, we may have silently absorbed/deflected an attack or a customer may have just chosen to ride us out as an option."

Democratization of DDoS

While The recent spate of attacks and reports on DDoS have raised the profile of the attack vector, warnings about DDoS and its impact are not new. In 2011 VeriSign reported that 63 percent of enterprises had been hit by a DDoS. At the time, VeriSign also reported that the average cost to defend against a DDoS was $2.5 million.

Regardless of how much DDoS is growing in terms of attacks and bandwidth, the bottom line is that it is becoming increasingly more common for a number of simple reasons.

"The availability of DDoS attack tools enable anyone with an Internet connection to launch attacks," Morales said. "The democratization of DDoS has made it accessible to the masses."

In addition to the availability of tools, the increasing proliferation of botnets is a key factor, enabling modern DDoS attacks.

"We’ve gone from hijacked PCs to tools that enable opt-in participation in botnets to most recently, seeing smaller botnets comprised of high speed Web servers for Joomla and Wordpress sites," Morales said. "These botnets are smaller than typical PC-botnets, but they enable high volume, high speed attacks."

Over the course of this month, at least 90,000 IP addresses have been involved in a brute force attack against WordPress websites. A suspected aim of the attack is the enrollment of compromised WordPress sites into a botnet.

How to Fight DDoS

"You can’t stop one from starting; that is out of your control," Morales said about the chances of an enterprise being hit by a DDoS.

There are, however, steps that an enterprise can take to help mitigate risk. Bandwidth is helpful, but it's not sufficient to deflect all types of modern attacks.

"Purpose-built, on-premise DDoS protection enables the enterprise to remain in control of mitigations for the majority of DDoS attacks today," Morales said. "However, if you are facing a large volumetric attack, that is best mitigated in the cloud."

Third party services, including those from Akamai, VeriSign and CloudFlare, all aim to offer cloud-based DDoS protections. Morales' company, Arbor, recommends a layered approach that combines on-premise DDoS protection with cloud-based protection from a service provider.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter @TechJournalist.