DDoSsers use reflection amplification to crank up the volume to 100Gbps+

DDoS attacks have grown in volume yet again with 25 attacks larger than 100Gbps globally in Q1 2015, according to the latest stats from DDoS mitigation firm Arbor Networks.

The majority of recent super-sized attacks leverage a reflection amplification technique using Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers. SSDP reflection amplification attacks are becoming particularly fashionable – rising to 126,000 in Q1 2015 from 83,000 in Q4 last year and just three in Q1 2014. The largest attack peaked at 138Gbps

Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate whilst hiding its source. The tactic relies on the many poorly configured and poorly protected devices on the Internet providing UDP services. Sending a dodgy request with the spoofed address of the intended target generates a response, much bigger in size than the original request, that's pushed towards the target web site drowning out legitimate requests.

Such shenanigans are possible because many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP addresses.

The largest peak attack-of-any-type size record has already been broken in 2015 with a 334Gbps attack in India, leapfrogging the previous high of 325Gbps. The US was targeted more than any other single country, bearing the brunt of around one in six (16 per cent) of attacks.

Attacks in general are becoming shorter while packing even heavier punch: The majority (approximately 90 percent) of attacks last less than one hour.

“Attacks that are significantly above the 200Gbps level can be extremely dangerous for network operators and can cause collateral damage across service provider, cloud hosting and enterprise networks,” said Darren Anstee, a lead techie at Arbor Networks. "Not only have volumetric attacks grown significantly in size and frequency over the past 18 months, application-layer attackers are also still pervasive."

Arbor Networks stats were sourced from operating its ATLAS threat intelligence infrastructure, which monitors around one-third of all internet traffic from 330 customers, mostly telcos and ISPs. ®