In some cases, standard infection methods were sidelined in favor of reflection attacks, a subcategory of denial of service called distributed reflection denial of service (DrDoS). Malicious parties are able to generate more damaging campaigns by using reflection. As a result, those behind many of the first quarter’s most powerful DDoS attacks – including the #1 hit – used reflection rather than standard botnet infection tactics.
DrDoS involves sending spoofed requests to vulnerable servers around the world, which in turn send an amplified response back to the spoofed source, easily knocking it offline or even saturating upstream carrier networks. This increasingly popular reflection tactic takes advantage of bugs in Internet protocols to perform profoundly devastating damage.
Three protocols that have been widely used for these types of attacks are Domain Name System (DNS), Character Generator (CHARGEN), and Network Time Protocol (NTP). All of those protocols are forms of User Datagram Protocol (UDP), the design of which makes it easy to trick servers into responding to the victim rather than the attacker who originated the malicious requests.
Amplification attacks are gaining traction because the strength of the attack is boosted: data can be delivered to a target at a high volume, an amplification factor as high as x400, while the device or devices used in the effort do not have to generate the same amount of information. This means that an attacker with 100 Mbps of bandwidth could generate an attack as large as 40 Gbps.
Amplification and reflection techniques themselves had an average bandwidth increase of 39% vs. Q4 2013. The first quarter also logged the highest volume DDoS incident ever.
Core projections and statistics from our first quarter threat report
As stated above, the findings of our Q1 2014 Threat Report – along with the projections for the near future based on the report’s findings – present a similarly challenging DDoS landscape for the Internet community. Exploits of the NTP protocol that became widespread in the first two months of the year have been thwarted by a broad and coordinated security response. However, we project that within the next 12 to 18 months, reflection attacks will become increasingly massive, with DrDoS threats potentially exceeding 800 Gbps in volume.
Within the first three months of 2014, the Black Lotus network mitigated the highest volume attack that has ever been perpetrated. That attack crescendoed on February 10, measuring 421 Gbps and 122 Mpps (millions of packets per second) at its height. The bit volume from the previous day, February 9, was similarly grandiose but did not quite match the massive scale of February 10.
Although these huge attacks will remain a significant concern just due to their horrific scope, they are many times larger than the typical DDoS assault. Our analysis found that the average bit volume and packet volume for the first quarter were 2.7 Gbps and 1.8 Mpps, respectively.
By comparison, the largest DrDoS attack observed in Q1 2014 was 156 times larger than average, which was derived from a sizable sample pool: 462,621 attacks, equivalent to 5140 attacks per day, 214 per hour, or 4 per minute.
Attacks of less than 3 Gbps might appear unintimidating to large enterprises; however, organizations that have smaller networks and/or may not have the capital to overprovision are often threatened by assaults of that scope.
The size of the average attack is similar to what our network experienced during the last quarter of 2013. Based on the 6-month period as a whole, the data suggests that a company’s DDoS mitigation protections should be established at a bare minimum of 5 Gbps.
Many service providers defend their networks up to 10 Gbps. As we know from this quarter, that level will protect against attacks of the average size but not against the many high-octane barrages that networks are experiencing more commonly worldwide.
The attacks on February 9 and 10 – with the latter achieving the strongest bit level as mentioned above – targeted a weakness in NTP daemons, as addressed by Black Lotus in our January 8 Threat Advisory. So that Black Lotus customers would be safeguarded against this form of attack, NTP defenses were implemented for all clients, regardless of subscription level.
As Vann Abernethy mentions in a piece for Wired, security organizations have estimated that there have been as many as 400,000 NTP servers that are susceptible to exploitation in the commission of DrDoS attacks. As many as 1000 of those servers could amplify data as much as 700 times, an amplification factor many times greater than the domain name system (DNS) DrDoS which targeted anti-spam organization Spamhaus.
The changing landscape
NTP reflection attacks have received significant attention during the first quarter because the bit volume was so massive. However, the majority of severe attacks – primarily HTTP GET and SYN floods – targeted servers and applications. In other words, traditional, tried-and-true methods are still incredibly popular, despite the new threat of NTP amplification. For further analysis, see our Q1 2014 Threat Report.
By Kent Roberts
