DDoS mitigation systems 'under attack'

The tactics used in distributed denial-of-service (DDoS) attacks have changed as culprits target mitigation equipment.

According to Prolexic CTO Paul Sop, attackers know that businesses have some level of DDoS protection, so DDoS mitigation equipment is now being targeted. He also claimed that most technologies "do not have the capacity to process the 'high packet per second' attacks that are being used".

He said: “The simple truth is that automated mitigation tools and providers that offer only basic mitigation capabilities are likely to struggle against these kinds of attacks because they do not have an infrastructure in place with sufficient packet-per-second processing capacity.”

In its Q3 2011 attack report, Prolexic detected a steady rise in certain attack types, particularly high-packet-per-second SYN and ICMP floods. “High PPS SYN floods, in particular, target DDoS mitigation appliances by exhausting their processing capabilities with millions of small packets per second,” said Sop.

“For example, popular 10Gbps appliances often exhibit peak handling rates of less than five million packets per second. The prevalence of high PPS SYN floods indicates a change in strategy where attacks are less sophisticated, but more deadly.”

Of all of the attacks mitigated by Prolexic, approximately 24 per cent were SYN floods, 22 per cent ICMP floods and 19 per cent UDP floods. Network layer (Layer 3) attacks were the most common, making up 83 per cent of total attacks, with application layer (Layer 7) attacks accounting for the remaining 17 per cent.

The average attack duration was 1.4 days and the average speed of traffic mitigated was 1.5Gbps. The highest volume of attacks occurred during the period of 19-25 August, and the top three countries from which attacks originated were China, India, and Turkey, with China-based IP addresses accounting for 55 per cent of attacks.

Sign up to our newsletters