Arbor Networks Reports Unprecedented Spike in DDoS Attack Size Driven by NTP Misuse
- Largest attack in Q1 2014 was 325 GB/sec
- Q1 saw 72 attacks larger than 100 GB/sec
- Q1 2014 saw 1.5x the number of attacks over 20 GB/sec as in the whole of 2013
BURLINGTON, MA., April 29, 2014 – Arbor Networks Inc., a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks, today released global DDoS attack data derived from its ATLAS threat monitoring infrastructure. The data shows an unprecedented spike in volumetric attacks, driven by the proliferation of NTP reflection/amplification attacks.
NTP is a UDP-based protocol used to synchronize clocks over a computer network. Any UDP-based service including DNS, SNMP, NTP, chargen, and RADIUS is a potential vector for DDoS attacks because the protocol is connectionless and source IP addresses can be spoofed by attackers who have control of compromised or ‘botted’ hosts residing on networks which have not implemented basic anti-spoofing measures. NTP is popular due to its high amplification ratio of approximately 1000x. Furthermore, attacks tools are becoming readily available, making these attacks easy to execute.
ATLAS is a collaborative partnership with nearly 300 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects 80TB/sec of traffic and provides the data for the Digital Attack Map, a visualization of global attack traffic created by Google Ideas. An online presentation with a full summary of Arbor’s findings for Q1 2014 is available here.
NTP Attacks Highlights
Average NTP traffic globally in November 2013 was 1.29 GB/sec, by February 2014 it was 351.64 GB/sec
- NTP was used in 14% of DDoS events overall but 56% of events over 10 GB/sec and 84.7% of events over 100 GB/sec
- US, France and Australia were the most common targets overall
- US and France were the most common targets of large attacks
“Arbor has been monitoring and mitigating DDoS attacks since 2000. The spike in the size and frequency of large attacks so far in 2014 has been unprecedented,” said Arbor Networks Director of Solutions Architects Darren Anstee. “These attacks have become so large, they pose a very serious threat to Internet infrastructure, from the ISP to the enterprise.”
NTP Resources: Arbor Networks has covered the rise in NTP attacks extensively, providing a wide range of data, research, analysis and best practices.
- Webinar: Too Much Time on My Hands: Network Scale Mitigation of NTP DDoS Attacks
- Arbor Security Engineering & Response Team (ASERT): Threat Intel Brief
- Blog Posts: NTP Attacks: Welcome to The Hockey Stick Era, NTP attacks continue – a quick look at traffic over the past few months and The Danger of the Latest NTP Attacks.
About Arbor Networks
Arbor Networks, Inc. helps secure the world’s largest enterprise and service provider networks from DDoS attacks and advanced threats. Arbor is the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. Arbor’s advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. Arbor also delivers market leading analytics for dynamic incident response, historical analysis, visualization and forensics. Arbor strives to be a “force multiplier,” making network and security teams the experts. Our goal is to provide a richer picture into networks and more security context - so customers can solve problems faster and reduce the risk to their business.
To learn more about Arbor products and services, please visit our website at arbornetworks.com. Arbor’s research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.
Trademark Notice: Arbor Networks, Peakflow, ArbOS, How Networks Grow, ATLAS, Pravail, Arbor Optima, Cloud Signaling, the Arbor Networks logo and Arbor Networks: Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brand names may be trademarks of their respective owners.