Darren Anstee, chief technology officer, Arbor Networks
Darren Anstee, chief technology officer, Arbor Networks

In 2016, there were a number of highly publicised DDoS attacks that used weaponised botnets of IoT devices to attack websites and services. These attacks were sizeable and impacted big brand names and their customers, making them newsworthy, but there have been many more since then that have received less media focus. The attacks now seem to be smaller in size, but they are using more sophisticated application layer attack vectors, which make them less damaging to the broader internet, but no less of a problem to their target.

Looking more generally, DDoS attacks have grown massively in size, frequency and complexity over the last twenty years. Arbor's latest Worldwide Infrastructure Security Report (WISR) revealed there was a 60 percent increase in peak attack size from 2015 -> 2016, with the biggest reported attack reaching 800Gbps. The big news though was the sheer number of large attacks (over > 100Gbps) going on out there – more than 500 in 2016, more than double the number in 2015, and we expect to see this trend continuing again this year.

The size and frequency of attacks is one thing, but DDoS attacks are no longer simple floods of traffic but highly complex, multi-vector attacks that target bandwidth, connection state and applications at the same time.

Types of DDoS

To evade defences and achieve their goals cyber-criminals constantly evolve the methodologies they use. For DDoS there is an almost infinite range of attacks specifics, but the attacks fall into three main categories:

  • Volumetric attacks: These attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the internet. These attacks are simply about causing congestion.
  • TCP State-exhaustion attacks: These look to consume the connection state tables that are present in many infrastructure components, such as load balancers, firewalls, IPS and the application servers themselves. They can take down even high-capacity devices capable of maintaining state on millions of connections.
  • Application-layer attacks: These target some aspect of an application or service. They are the most sophisticated and stealthy attacks because they use traffic that looks very much like that of a “real” user. This makes these attacks very difficult to proactively detect with traditional flow-based monitoring solution.

The most complex attacks mix all of the above together, at the same time toward the same target. These multi-vector attacks only used to be launched by those that really knew what they were doing, and had the ability to martial the appropriate tools and resources – now anyone can do it because of weaponisation.


The number of DDoS “services” has proliferated over the past few years, and last year saw the rise of the weaponised IoT botnet. These services allow pretty much anyone to launch either a large volumetric attack or a more complex application layer or multi-vector attacks at the click of a button, for just a few dollars. And, unfortunately, if you make something cheap and easy to do, and there are plenty of motivations to do it, then you tend to see increased activity – and that is what is happening with DDoS.

But who is behind these services?

Cyber-criminals. Botnets today can be thought of as multi-purpose farms of compute power that can be used for a diverse mixture of for-profit activities, from spam to identity theft, click fraud to DDoS. The botnet operator leverages compromised devices to build out a capability, and then monetises that capability.

Using this “service” model any motivated individual or group – motivations ranging from a personal grudge through ideological hacktivism to extortion – now has access to a DDoS attack capability, with no barrier to entry.

Dealing with DDoS threats today

Despite 20 years of headlines, many businesses today are still under-invested and ill-prepared to combat modern DDoS attacks. Some believe they will not be targeted, even as they experience DDoS-induced outages that are wrongly attributed to equipment failures or operational error. Others are reliant on infrastructure devices, such as firewalls and intrusion prevention systems, or a single layer of protection from their ISP or content-delivery network. In each case, these businesses are only partially protected. DDoS protection should be seen as an insurance product; everyone is at risk.

The key to stopping DDoS attacks is preparation. Understanding the impact an attack would have is key, as this allows us to quantify one aspect of our risk. Understanding the threat and how it is evolving is also important. Planning is also essential, both in terms of process and in terms of the putting the right layered, DDoS defenses in place.  DDoS is a well-understood threat, and it can be successfully defended against – but only if we are prepared.

Contributed by Darren Anstee, chief technology officer, Arbor Networks

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.