Arbor Networks’ ATLAS Data Shows the Average DDoS Attack Size Increasing


Arbor Networks LogoArbor Networks Inc. , a leading provider of DDoS and advanced threat protection solutions for enterprise and service provider networks, has released Q2, 2015 global DDoS attack data that shows strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective.

The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to enterprise networks is the growth in the average attack size. In Q2, 21% of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range.  However, there was also a significant spike in the number of attacks in the 50 – 100GB/sec range in June, mainly SYN Floods targeting destinations in the US and Canada.

“Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world,” said Arbor Networks Chief Security Technologist Darren Anstee. “Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the Internet connectivity of many businesses it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place. ”

Active Threat Level Analysis System (ATLAS®)

Arbor’s data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor in order to deliver a comprehensive, aggregated view of global traffic and threats. ATLAS collects 120TB/sec of Internet traffic and is the source of data for the Digital Attack Map, a visualization of global DDoS attacks created in collaboration with Google Ideas.

Reflection Amplification Attacks

Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. This technique relies on two unfortunate realities: firstly, many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address; secondly, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated. The majority of very large volumetric attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world.

  • In Australia the average attack size in Q2 2015 was 1.83Gbps/501.78Kpps up from 1.25Gbps/345.94Kpps in Q1 2015
  • In Australia 28% of attacks larger than 2 Gbps
  • Australia has higher proportion of attacks of more than 1Gbps compared to the rest of APAC – In Q2 2015 for Australia was 45% and APAC 17%
  • SSDP tops the list of Reflection attacks in Q2 2015 in Australia with 48%
  • In Australia the average attack size  in Q2 was two times larger than the APAC average
  • In April 2015, Australia has the largest attack across APAC for Q2
  • Most attacks in Australia were short-lived, approximately 97% were less than one hour in Q2
  • Average attack duration in Q2 in Australia was 23 min 46 sec
  • Proportion of attacks lasting longer than 12 hours was  less than 0.1% in Q2 in Australia
  • The largest reflection attack globally was 42 Gbps (NTP reflection attack) target at port 80 The average attack sizes for DNS, NTP, SSDP and Chargen reflection amplification attacks all increased in Q2 2015 
  • Globally 50% of reflection attacks in Q2 targeted UDP port 80 (HTTP/U) – Port 80 is also the leading target for attacks in Australia, but only 27% of attacks targeted it.

About Arbor Networks
Arbor Networks, Inc. helps secure the world’s largest enterprise and service provider networks from DDoS attacks and advanced threats. Arbor is the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. Arbor’s advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. Arbor also delivers market-leading analytics for dynamic incident response, historical analysis, visualisation and forensics. Arbor strives to be a “force multiplier,” making network and security teams the experts. Our goal is to provide a richer picture into networks and more security context – so customers can solve problems faster and reduce the risk to their business.

To learn more about Arbor products and services, please visit our website at Arbor’s research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.


Comments are closed.

Visit Us On TwitterVisit Us On FacebookVisit Us On LinkedinVisit Us On Youtube