Details on DDoS trends can vary, depending on the reporting source.
Distributed denial-of-service (DDoS) attacks remain unpredictable and dangerous for enterprises, but actual details on how the threat is evolving can differ substantially by the reporting source.
Two reports released this week, one by Verisign and the other from Nexusguard, are good examples. Both vendors reported a general increase in multivector attacks and an overall decrease in the number of DDoS attacks in the fourth quarter of 2017 compared to the prior quarter but differed on the details based on data gathered from their customer engagements.
Nexusguard reported a 12% decrease in DDoS attacks between the fourth quarter of 2016 and the same quarter in 2017, and a more than 16% drop in attacks between the third and fourth quarters last year. Verisign pegged the decrease in DDoS attacks during the same period at a somewhat higher 25% and said the number of attacks has continued to decrease from quarter to quarter.
Nexusguard says multivector, blended threats represented some 56% of recorded attacks last quarter while single-vector attacks accounted for just over 43%. Two-vector attacks — such as those combining UDP and DNS — accounted for nearly 33% of all multivector accounts, while three-vector attacks accounted for about 15%, according to Nexusguard.
Verisign, meanwhile, says a massive 82% of the DDoS attacks it mitigated in the fourth quarter of last year employed multiple attack types. While Nexusguard had two-vector attacks as the most common multivector attack type, Verisign says 46% of multivector attacks it encountered involved five or more attack types.
The largest DDoS attack that Verisign dealt with last quarter topped out at 53 Gbps, while Nexusguard said the largest one it encountered weighed in at over 231 Gbps. Both vendors had roughly the same estimates for average peak attack sizes, with a substantial proportion falling under 10 Gbps. Verisign, however, noted a 32% year-over-year decrease in the average of attack peak sizes.
For Nexusguard, one key takeaway from its observations last quarter was the sharp increase in amplification attacks involving DNSSEC-enabled servers. Nexusguard says the number of DNS reflection attacks in the fourth quarter of 2017 soared nearly 110% over the preceding quarter, while DDoS attacks using DNS amplification increased nearly 358% compared with the fourth quarter of 2016.
The decrease in DDoS attacks during the fourth quarter of 2017 that both Verisign and Nexusguard reported is somewhat at odds with report from other vendors. Martin McKeay, global security advocate and lead author of Akamai’s recently released State of the Internet Security Report, for instance, says DDoS attack volumes have only increased over the past few years.
“Akamai saw an almost identical number of attacks in Q4 2017 vs. Q3 2017, though the number of attacks had grown by 14% since the same time in 2016,” he says. “From what we’ve seen, the number of attacks has been relatively steady quarter over quarter recently, and has grown significantly year over year for as long as we’ve been tracking the count of attacks.”
The same is true of attack sizes, he says. “While we’d seen a general downward trend throughout 2016 in the median size of attacks from slightly over 1 Gbps, that trend changed in the second half of the year, to climb back to a median attack size of 750 Mbps,” he says.
Similarly, Akamai has not seen a significant increase in attacks involving DNS- and DNSSEC-enabled domains. McKeay says DNS and DNSSEC have been a component of approximately 25% of the attacks Akamai has seen for several years.
Ashley Stephenson, CEO of Corero, has similar views on DDoS trends and says he hasn’t seen anything to suggest a recent decline in number of attacks. Like McKeay, Stephenson says Corero hasn’t observed the sharp increase in DNSSEC amplification attacks that Nexusguard reported, though he agrees that multivector attacks have become more common.
The differences in reports, according to Stephenson, have a lot to do with how and where the data is captured and even with how different organizations define DDoS attacks. For an organization in the online gaming industry, for instance, traffic of something in the 500 Mbps to 1 Gbps range could be enough to constitute a DDoS attack. “An attack of that size is not going to be significant to a large financial institution or a bank that has a large data center,” and probably wouldn’t be counted as a DDoS attack.
Average attack size can also often be misleading, says McKeay. In many cases, one or two large attacks can easily throw reporting out of balance, which is why it is better to track median attack size instead, he says. “Large attacks, or a lack of, can easily skew an average attack-size metric, making the number unreliable.”
Where the attack is measured can make a big difference as well. Attacks that are measured close to the source will be substantially larger than attacks that are measured close to the destination or target — sometimes by a 10-to-1 factor, Stephenson says.
A content delivery network, for instance, might measure the source of an attack, but the reality is that a lot of the traffic at the source will never get to the destination, he says. Similarly, a service provider might report on DDoS traffic from somewhere in the middle, away from the source and the destination, and the numbers they observe will be different from the numbers at the destination. So, while you might have terabits of data at the origin, what comes out at the other end of the funnel can be much smaller, Stephenson says.
“Ultimately, if you are an enterprise you have to be most concerned about what impacts you,” Stephenson says.