DDoS attack size doubles, but 40% are still reported by customers

News by Danielle Correa

While the headline record breaking attack size goes up every year, the long tail of average attack size has also doubled in the past year to reach 50 Gps according to Neustar's fourth annual Worldwide DDoS Attacks and Cyber Insights Research Report. However, the increased average is partly put down multiple 500 Gbps+ attacks from IoT botnets, one of which exceeded 680 Gbps peak size.

The report records that nearly half (45 percent) of DDoS attacks were more than 10 Gbps and 15 percent of attacks were at least 50 Gbps, showing that volumetric attacks are getting larger.

And the average cost of DDoS attacks has also gone up, now costing an organisation almost £2 million (£1.9 million) in revenue.

Neustar's report is based on responses from 1,010 CISOs, CSOs, CTOs security directors and managers.

Out of 1010 organisations, 849 were attacked – with no particular industry spared. Eighty-six percent (727) of those attacked were hit more than once.

Forty percent of respondents reported receiving attack alerts from customers, up from 29 percent in 2016, demonstrating just how unprepared we are when dealing with this threat.

An average revenue loss of at least US$250,000 (£190,000) per hour was reported by 43 percent of organisations, with 51 percent taking at least three hours to detect an attack and 40 percent taking at least that amount of time to respond.

Instances of ransomware increased 53 percent since 2016. Half of the attacks involved some sort of loss or theft with a 38 percent increase year over year in customer data, financial and intellectual property thefts.

Nearly all (99 percent) organisations have some sort of DDoS protection in place, but 90 percent are investing more than they did a year ago. More than a third (36 percent) think they should be investing even more.

Showing that the year is off to a fast start, the research is already seeing significant increases in average attack size and variety of attack vectors even though Q1 is generally considered “pre-season” with most attacks traditionally happening in the shopping season in the run up to Christmas.

The new hot attack trends for 2017 include Generic Routing Encapsulation (GRE) based flood attacks and Connectionless Lightweight Directory Access Protocol (CLDAP).

The report explains how CLDAP Reflection attacks come from botnets that target exposed public facing LDAP servers by exploiting UDP's inherent stateless nature. These attacks originate from port 389 (LDAP's UDP port), however they are not always concentrated on attacking a specific source port. Although LDAP is more prevalent on internal networks, attackers have been increasingly using this form of attack across the internet and have now increased to what the Neustar describes as a point of significance. The largest CLDAP attack mitigated this year by Neustar Security Operations had a peak size of 20.9 Gbps/2.1 Mpps, targeted 9 different ports, used UDP protocols and lasted 14 minutes.

Growth in these attacks is attributed to the near eradication of SSDP attacks, thus attackers looking for quick ramping volumetric menaces have gravitated to CLDAP. Also attackers may launch LDAP-based attacks using brute force to saturate and neutralise authentication systems and security infrastructure components.

GRE-based attacks target private connections and are used many times to disrupt a DDoS target's connection to its protection provider explains the report. GRE tunnels are typically used to connect infrastructures and facilitate contaminated traffic flows into DDoS mitigation clouds. Attackers tend to understand this and thus, these types of attacks are increasingly being seen and mitigated. Neustar points out that typically stopping a GRE flood without completely shutting down legitimate traffic requires surgical rate limiting (specific packet size ranges, source and destinations, etc.) or specific white/black lists.

Attackers continue to launch more sophisticated attacks to penetrate organisation's defences as multi-vector attacks have become the nearly universal experience for Neustar mitigation operations, with DDoS often a distraction for the main attack.

“Distributed Denial of Service (DDoS) attacks are the zeitgeist of today's internet,” said Barrett Lyon, head of research and development at Neustar Security Solutions in a news release. “The question organisations must ask now is how they are prepared to manage these highly disruptive events. Are they prepared for the bad day where their customers call and ask why the website is down?”

“We have to have confidence that our website infrastructure can stand up to DDoS attacks and attacks on our DNS infrastructure, which is unfortunately a constant threat,” said Chris Matthews, head of operations at Experian Data Quality in a release.

Neustar has expanded its network capacity to 3 Tbps, and is increasing it to 10 Tbps enabling it to absorb more attacks and stop more complex versions of attack combinations.

Neustar's advice to companies in its report is: assess, plan, test, and communicate within the organisation because the attacks are going to keep coming. Invest wisely to right size your DDoS defences. Not all DDoS defences are made equally. Some of the experienced gained by attackers last year was an operational understanding of DDoS defence business models. With long, large attacks come big expenses for targeted organisations and in several extreme cases, removal from protective cover. Attackers are figuring out the economics of DDoS defence and using it to their advantage. This is an important consideration when evaluating security investments.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews