The number of distributed denial-of-service (DDoS) attacks set a record in the first half of 2014, according to a report by Arbor Networks. The number of attacks over 20 GB/sec doubled compared with the same period in 2013.
Although the first quarter saw the most concentrated burst of large volumetric attacks in history, things calmed down somewhat in the second quarter. The largest reported attack in the second quarter was 154.69 GB/sec, down 52 percent from Q1. That was a Network Time Protocol (NTP) reflection attack targeting a destination in Spain, Arbor Networks said.
NTP Attacks Fall, But Still Higher than 2013
Although the company said that NTP reflection attacks are still significant, attacks of that type were down in both size and scope in Q2 compared with the first quarter. Average NTP traffic volumes are falling globally, but remain above November 2013 levels (the start of NTP attack proliferation). In total, NTP represented 6 percent of DDoS attacks in Q2, down from 14 percent in Q1.
NTP attacks provide hackers with the ability to generate high-volume DDoS traffic to target Web sites or public-facing devices in order to disrupt services. Attacks of this type can be exploited remotely, with NTP exploits being publicly available. In an NTP attack, bot computers are enlisted to send a request for the correct time from an NTP server, but the return address is spoofed with the targeted Web server's address. Hence the targeted server is flooded with data on the correct time.
The number of attacks of this kind began to slow in March and into the second quarter, but still remain significantly above 2013 levels.
More and Larger
The second quarter also saw fewer very large attacks, with average attack size down by 47 percent compared with Q1. Nonetheless, more than 100 attacks larger than 100 GB/sec have been reported so far this year, an unprecedented number.
"Volumetric DDoS attacks continued to be a problem well into the second quarter," said Arbor Networks Director of Solutions Architects Darren Anstee. "The frequency of very large attacks continues to be an issue, and organizations should take an integrated, multi-layered approach to protection. Even organizations with significant amounts of Internet connectivity can now see that capacity exhausted relatively easily by the attacks that are going on out there."
Non Initial Fragment attacks still remain the most common, according to the report, although there was a significant increase in the percentage of attacks targeting domain name servers in the second quarter.
Despite the ominous increase in activity, the majority of attacks remain short-lived, with 90.6 percent lasting less than an hour. But Arbor says the growth trend for large attacks continues to point upward.
Arbor obtained the data through its Atlas threat monitoring infrastructure, a collaborative partnership of nearly 300 Internet service providers who share anonymous traffic data with Arbor in order to deliver an aggregated view of global traffic and threats. Atlas collects statistics that represent 90 TB/sec of Internet traffic and provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas.
The initiative provides worldwide statistics anonymously. According to the company, the system currently monitors a peak of around 90 Tbps of IPv4 traffic.