Q3 2014: Reflection-based DDoS attacks are ‘it’

Very large attacks have been the name of the game this year. Attackers want to achieve their goals and using large volumetric ‘brute force’ attacks seems to be the current mechanism of choice. Earlier this year we saw the storm of NTP reflection attacks, and reflection-based DDoS attacks have continued as a major theme into Q3.

As we’ve reported previously, this has become the ‘Hockey Stick Era’ of DDoS – with attacks regularly reaching and exceeding 100 Gbps. NTP reflection attacks have continued this quarter, at a reduced frequency compared to Q1 and Q2, but we have also seen that attackers are now starting to utilize SSDP for reflection – especially in September when SSDP reflection attacks represented 42% of all events tracked over 10Gb/sec. Interestingly, in Q2 there were essentially no attacks sourced from the SSDP port (port 1900), but in Q3, ATLAS monitored nearly 30,000 of these attacks.

Other key statistics for the quarter include:

  • Remarkable growth in use of SSDP for reflection attacks: 9% of all attacks in September and 42% of all attacks greater than 10Gbps in September were SSDP reflection attacks
  • 133 attacks over 100Gbps so far in 2014; 22 recorded in Q3
  • Over half of all volumetric attacks greater than 100 Gbps in Q3 were still NTP reflection attacks
  • Q3 attack sizes are trending up from previous quarters; 16.5% of attacks greater than 1Gbps in Q3, up from 15.3% in Q2.
  • Proportion of events lasting less than 1 hour is gradually increasing, now at 91.2%

The big takeaway this quarter is clear – stay the course: employ a multi-layered approach to DDoS defense to ensure your organization is safeguarded from both complex, stealthy DDoS attacks, and the very large attacks that can quickly saturate Internet connectivity.

For more detailed insight into Q3 2014 DDoS attack statistics from ATLAS, please review the Slideshare presentation below


  • Posted in DDoS
  • Comments Off on Q3 2014: Reflection-based DDoS attacks are ‘it’