Arbor Networks’ ATLAS Data Shows Reflection DDoS Attacks Continue to be Significant in Q3 2014
- 133 attacks over 100Gbps so far in 2014; 22 recorded in Q3
- Remarkable increase in SSDP reflection attacks in Q3, nearly 30,000 monitored
- SSDP reflection attacks responsible for 42% of attacks over 10Gbps in September
- NTP reflection still responsible for more than half of events over 100Gbps in Q3
- Q3 attack sizes are trending up from Q2; 16.5% of attacks greater than 1Gbps in Q3, up from 15.3% in Q2
BURLINGTON, MA., October 7, 2014 – Arbor Networks Inc. today released global DDoS attack data for Q3 2014 showing a remarkable increase in Simple Service Discovery Protocol (SSDP) reflection attacks. Arbor monitored very few attacks using SSDP as a reflection mechanism in Q2, but nearly 30,000 attacks with this source port in Q3 alone, with one such attack reaching 124Gbps. The data confirms what Arbor has called The Hockey Stick Era, with a continuing trend towards large volumetric attacks, a consistent theme throughout 2014.
Arbor’s data is gathered through ATLAS®, a collaborative partnership with nearly 300 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects statistics that represent 90Tbps of Internet traffic and provides the data for the Digital Attack Map, a visualization of global attack traffic created in collaboration with Google Ideas.
“Everyone is aware of the huge storm of NTP reflection DDoS attacks in Q1 and early Q2, but although NTP reflection is still significant there isn’t as much going on now as there was – unfortunately, it is looking more and more like SSDP will be the next protocol to be exploited in this way. Organizations should take heed and ensure that their DDoS defense is multi-layered, and designed to deal with both attacks that can saturate their connectivity, and more stealthy, sophisticated application layer attacks,” said Arbor Networks Director of Solutions Architects Darren Anstee.
DDoS in Q3 2014 -- ATLAS key findings:
- Significant growth in use of SSDP for reflection attacks in Q3: 9% of all attacks in September and 42% of all attacks greater than 10Gbps appeared to use SSDP reflection.
- NTP reflection attacks still significant, but continuing to fall away proportionally (post the Q1 storm); however, over 50% of all attacks greater than 100Gbps were still NTP reflection attacks.
- Very large volumetric attacks far more frequent than in the past, with 133 attacks over 100Gbps this year so far.
- Average monitored attack in Q3 was 858.98Mbps; peak attack of 264.6Gbps.
- Q3 saw 16.5% of all attacks above 1Gbps, up from 15.3% in Q2.
- Proportion of events lasting less than 1 hour is gradually increasing, now at 91.2%
- Ranking sources for events larger than 10Gbps: U.S. (7.6%), China (5.9%), Brazil (1.1%)
- Ranking destinations for events larger than 10Gbps: U.S. (17.6%), France (10.8%), Denmark (8.4%)
For more analysis into data from Q3 2014, please visit Slideshare to view more detailed findings.
About Arbor Networks
Arbor Networks, Inc. helps secure the world’s largest enterprise and service provider networks from DDoS attacks and advanced threats. Arbor is the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. Arbor’s advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. Arbor also delivers market leading analytics for dynamic incident response, historical analysis, visualization and forensics. Arbor strives to be a “force multiplier,” making network and security teams the experts. Our goal is to provide a richer picture into networks and more security context - so customers can solve problems faster and reduce the risk to their business.
To learn more about Arbor products and services, please visit our website at arbornetworks.com. Arbor’s research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.
Trademark Notice: Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail, Cloud Signaling, Arbor Cloud, ATLAS, We see things others can’t.TM and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners