Average DDoS attack consumes 925 per cent more bandwidth than in 2012: Prolexic

Distributed denial of service (DDoS) attacks are rapidly becoming more ferocious than ever, with average DDoS bandwidth reaching 49.24Gbps and 47.4 million packets per second (pps) in the second quarter of this year, new figures suggest.

The latest Quarterly Global DDoS Attack Report, from DDoS-fighting security firm Prolexic, found that DDoS attacks had become more frequent and intense by nearly every measure.

For example, the second quarter saw a 20 per cent increase in the total number of DDoS attacks compared with the previous quarter, with a 28 per cent increase in the number of application (layer 7) attacks and a 10 per cent increase in average attack duration, from 34.5 hours to 38 hours.

Those figures were up substantially over the same quarter in 2012, with a 79 per cent increase in layer 7 attacks, 123 per cent increase in attack duration, and 1655 per cent increase in average pps rate.

“We believe this growth is being fuelled by the increasing prevalence of compromised Joomla and WordPress web servers in increasingly large botnets,” said Prolexic president Stuart Scholly in a statement, noting that the overall volumes and detection rates were up because botnet operators don’t have to try so hard these days.

“Traditionally, botnets have been built from compromised clients,” he explained. “This requires malware distribution via PCs and virus infections, and takes considerable time and effort. Consequently, attackers wanted to protect their client-based botnets and were more fearful of detection, so we saw shorter attack durations.”

Now that it’s so easy to bring up large numbers of infected systems, there’s no need to be careful, Scholly added. “Attack durations are likely increasing because perpetrators are less concerned about detection and protecting their botnets,” he added. “The widespread availability of compromised Web servers makes it much easier for malicious actors to replenish, grow and re-deploy botnets.”

SYN floods accounted for nearly a third of all attacks managed by the Prolexic Security Engineering & Response Team (PLXsert), which monitors DDoS attacks around the world and produces the quarterly reports based on its operational data.

DDoS attacks directed at Layer 3 and Layer 4 infrastructure represented 74.7 per cent of all attacks, with Layer 7 attacks making up the difference. Fully 21.58 per cent of Layer 7 attacks came as HTTP GET floods, thanks in part to the use of commercial DDoS kits like Optima Darkness and Black Energy.

April, with 39.7 per cent of attacks recorded during the quarter, was the busiest of the three months, followed by May (31.6 per cent) and June (28.7 per cent) – a weighting that Prolexic attributes to a rash of attacks against financial services targets, and the use of the itsoknoproblembro toolkit.

China (39.08 per cent of attacks), Mexico (27.32 per cent), Russia (7.58 per cent), Korea (7.29 per cent) and France (6.50 per cent) topped the leader board in terms of DDoS source countries; Prolexic noted the “dramatic” entrance of Mexico as a lead indicator of similar potential increases in other Latin American countries with similar use rates and growing populations.

“Countries that have extensive network infrastructures are typically more susceptible to being selected as targets by malicious groups who seek the unauthorized use and abuse of those network resources,” the report’s authors wrote.

“PLXsert researchers have also observed that malicious actors seek hosting providers that are slow to respond to malware-cleanup requests, as well as those perceived as out-of-reach of international law enforcement authorities.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.