Harrison St. Suite 403
1930 Hollywood, Florida, us
Michael E. Donner
+1 (954) 620-6017
Average Attack Bandwidth up 718 percent
Average Packet-Per-Second Rate Reaches 32.4 Million According to Prolexic's Q1 2013 DDoS Report /Giant attacks overwhelming appliances, ISPs, carriers, content delivery networks
"Average packet-per-second rate and average bit rate spiked in the first quarter and both are growing at a fast clip," said Stuart Scholly, president at Prolexic. "When you have average - not peak - rates in excess of 45 Gbps and 30 million packets-per-second, even the largest enterprises, carriers, and quite frankly most mitigation providers, are going to face significant challenges."
Early last year, a different type of DDoS attacker emerged: one with considerable botnet resources, but also an intimate understanding of how the Internet routing topology works. As a result, Prolexic detected a clear shift to high packet-per-second DDoS attacks specifically designed to overwhelm infrastructure elements such as routers. Failure of these devices often causes collateral damage, typically taking thousands of customer websites offline.
"It's a classic change up," said Scholly. "Nearly everyone has been focused on bandwidth and gigabits per second, but it's the packet rate that's causing the most damage and presenting the biggest challenge. These packet rates are above the thresholds of all but the most expensive routers and line cards and we are seeing networks buckle as a result."
Highlights from Prolexic's Q1 2013 Global DDoS Attack Report
Compared to Q4 2012
- Average attack bandwidth up 718 percent from 5.9 Gbps to 48.25 Gbps
- Average attack duration increases 7.14 percent from 32.2 hours to 34.5 hours
- Total number of infrastructure attacks rise 3.65 percent; total number of application attacks fall 3.85 percent
- 1.75 percent increase in total number of DDoS attacks
Compared to Q1 2012
- Average attack bandwidth up 691 percent from 6.1 Gbps to 48.25 Gbps
- 21 percent increase in average attack duration from 28.5 hours to 34.5 hours
- Total number of infrastructure attacks up 26.75 percent; total number of application attacks up 8 percent
- 21.75 percent rise in total number of attacks
Analysis and emerging trends
During Q1 2013, more than 10 percent of DDoS attacks against Prolexic's global client base averaged more than 60 Gbps. The largest attack mitigated in the quarter peaked at 130 Gbps, occurring in March against an enterprise customer. In response to these huge attacks, more carriers and ISPs are being forced to null route (black hole) traffic to protect their networks.
Attack volume also grew in Q1 2013 and reached the highest number of attacks Prolexic has logged for one quarter. However, the percentage increase over the previous quarter was nominal. Attack volume has been especially high during the last six months, reflecting a general trend of heightened global DDoS activity and risk of attack.
Like recent quarters, Layer 3 and Layer 4 infrastructure attacks were the favored attack type, accounting for 76.54 percent of total attacks during the quarter, with Layer 7 application layer attacks making up the remaining 23.46 percent. This approximate 3:1 split remains unchanged. This quarter, SYN (25.83 percent), GET (19.33 percent), UDP (16.32 percent) and ICMP (15.53 percent) floods were the attack types most often encountered during mitigation.
Average attack duration continued to rise, from 32.2 hours the previous quarter to 34.5 hours in Q1, an increase of 7.14 percent. March was the most active month for attacks, accounting for 44 percent of the quarter's attacks. The week of March 19 was the most active of the quarter. The last two weeks of the quarter were the most active and showed the largest percentage increase compared to Q1 2012 (306 and 154 percent respectively).
As is commonplace, the top 10 list of source countries responsible for launching the most DDoS attacks was fluid with the exception of China. Once again, China secured the top place in attack source country rankings, joined by the United States, Germany, and for the first time, Iran.
"Because Prolexic operates an 800 Gbps cloud-based, upstream network and typically intercepts traffic long before it hits carriers and saturates their networks, it is one of the few companies in the world that can handle this level of attack traffic," said Scholly. "Prolexic gained a significant number of new clients in Q1 as more and more providers that offer DDoS as a add on service failed to cope with these enormous attacks."
Data for the Q1 2013 report has been gathered and analyzed by the Prolexic Security Engineering & Response Team (PLXsert). The group monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with Prolexic customers. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.
A complimentary copy of the Prolexic Q1 2013 Global DDoS Attack Report is available as a free PDF download from www.prolexic.com/attackreports. Prolexic's Q2 2013 report will be released in the third quarter of 2013.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to email@example.com.