New research shows the average size of a distributed denial-of-service attack continued to grow last quarter as more attackers targeted the Simple Service Discovery Protocol (SSDP), and generally, more enterprises can be expected to be targeted by DDoS attacks.
For its third quarter Distributed Denial of Service Trends Report, DDoS mitigation services provider Verisign Inc., which is based in Reston, Virginia, collected data from enterprise customers that the company helped fend off DDoS attacks. Verisign found the number of DDoS attacks that exceeded 10 Gigabits per second (Gbps) in bandwidth grew by 38% from Q2 to Q3, and accounted for just over one-fifth of all such attacks the company monitored.
Surprisingly, the overall average DDoS attack size fell from 12.42 Gbps in Q2 of 2014 to 6.46 Gbps in Q3, according to the report. However, Verisign Senior Vice President and CSO Danny McPherson said the unusually high average in Q2 was largely due to a single UDP flood DDoS attack that exceeded 300 Gbps in bandwidth. In comparison, the largest attack Verisign witnessed in Q3 reached 90 Gbps in bandwidth. With the outlier eliminated from the stats, the Q2 average fell to 4.60 Gbps, meaning average attack sizes grew by 40% quarter-over-quarter and have increased for five straight quarters.
Apart from size, Verisign also observed that last quarter, DDoS attack targets were being hit more frequently than ever. On average, a typical target faced 3.33 DDoS attacks during the quarter, according to the report, a figure that is up significantly from the average of two in the previous quarters this year.
Research released last week by antivirus vendor Kaspersky Lab, based in Moscow, also showed just how many companies may be targeted by DDoS attacks. Based on a survey of 3,900 enterprise respondents from 27 countries, most of which were large to mid-size organizations, Kaspersky found that 18% of all businesses experienced a DDoS attack in from April 2013 to May 2014.
DDoS attacks become even more likely depending on specific industries and regions, according to Kaspersky. For instance, 38% of businesses that operate public-facing online services or that provide financial services were attacked. Companies operating in China also faced a disproportionate number of DDoS attacks in the same time frame, with 34% of such companies being targeted.
SSDP: The new protocol on the DDoS block
As for what has been driving the growth of high-volume DDoS attacks, McPherson said there have been two overarching factors. The first is that attackers no longer rely on bots consisting largely of home systems with lower upload speeds for their DDoS attacks, as Web services with larger Internet pipelines have become relatively easy to compromise.
The other factor, McPherson noted, is that attackers have increasingly found a string of low-profile Internet protocols with large amplification factors that make them perfect for DDoS scenarios. Earlier this year, attackers utilized the Network Time Protocol (NTP) – which can be amplified by a factor of more than 700 – to launch a DDoS attack that nearly hit 400 Gbps in bandwidth, one of the largest ever monitored. The Domain Name System (DNS) has long been a popular target for DDoS attacks for the same reason.
In Q3, Verisign uncovered the first attacks utilizing SSDP, a protocol used for the discovery of network services and the basis of Universal Plug-and-Play. Approximately 40% of the DDoS attacks Verisign helped mitigate in the quarter utilized SSDP, according to McPherson, who noted that the protocol's amplification factor of 30 makes it ripe for abuse and has been a driving factor in the high-volume DDoS attacks Verisign's customers have faced recently. Though an SSDP DDoS attack may not reach quite the size of those stemming from NTP or DNS, Verisign found that such attacks were still capable of hitting nearly 15 Gbps in bandwidth.
In an October presentation, DDoS mitigation provider Arbor Networks Inc., based in Burlington, Mass., also unveiled evidence that SSDP DDoS attacks are becoming more prevalent. Arbor researchers monitored nearly 30,000 SSDP DDoS attacks in Q3, with such attacks accounting for 9% of the total DDoS attacks witnessed in September and 42% of attacks that exceeded 10 Gbps in bandwidth for the month. As a result, Arbor saw an uptick in DDoS attacks larger than 1 Gbps in the latest quarter.
McPherson speculated that the initial interest in SSDP from attackers may have stemmed from the February release of "Amplification Hell: Revisiting Network Protocols for DDoS Abuse," a research paper by security researcher Christian Rossow that identified SSDP as a likely DDoS target due to its amplification factor. Still, attackers were likely to move to the protocol regardless, McPherson said, as it is both similar to other previous targets like NTP and is enabled on more than 15 million Internet-connected devices.
For organizations concerned about unknowingly participating in SSDP and similar DDoS attacks, McPherson said most of these protocols aren't actually necessary in an enterprise environment anyway, making the answer in most situations simple.
"Most people don't even know SSDP is enabled in their environment, and they're probably not even using it," said McPherson. "If you're not using a protocol or application or service, the best thing for you to do is turn it off."
"The second best thing is to make sure that at the perimeter, only protocols that you know users should have connectivity to are allowed," McPherson added. "It's just a matter of good hygiene to do that from a security perspective anyway."
Resident platform and application security expert Michael Cobb discusses the realities of DDoS attack prevention in this SearchSecurity podcast.