Amplified DDoS Attacks Broke Bandwidth Records in 2013: Arbor Report

Last year the largest distributed denial-of-service attack tripled the previous record for bandwidth and cut off one-third of data centers at some point during the year, according to Arbor Networks' annual security report.

The largest distributed denial-of-service attacks jumped in size in 2013, with the most intense topping 300G bps, triple the bandwidth of the previous largest attack, according to a report published by Arbor Networks on Jan. 28.

The dramatic increase in bandwidth was caused by attackers' adoption of reflection techniques, which use vulnerable servers to turn relatively small data packets into much larger digital floods that are focused on a particular victim's network, Gary Sockrider, solutions architect for the Americas at security firm Arbor Network, told eWEEK.

The most common form of a reflection attack, also known as an amplification attack, is to send a request to a vulnerable domain name service (DNS) server with a spoofed source address. The result is attacks ranging in size from tens of gigabits per second to hundreds of gigabits per second, which amounts to an attack on the Internet infrastructure, he said.

"The only people that have pipes that big are the carriers themselves, and therefore these are attacks on their infrastructure," Sockrider said.

The end of 2013 saw attackers using another type of reflection to amplify their denial-of-service attacks. Rather than use the DNS protocol, attackers used a service in older versions of the network time protocol, or NTP. Such attacks temporarily caused disruption on a number of online computer game networks.

Yet NTP packets are typically easy to block, while DNS traffic requires a more thoughtful response, Sockrider said.

"DNS is an absolutely critical infrastructure for the Internet, and it's vulnerable to being used in reflection attacks, and there are 27 million open resolvers (vulnerable DNS servers) out there," he said. "When I add all those pieces up, I think it's the No. 1 concern."

Not only did the volume of the largest attacks increase dramatically, but the rate at which companies were targeted increased as well. In 2013, the number of attacks exceeding 20G bps increased by a factor of 8, compared to the previous year, according to Arbor's data.

Attackers did not just rely on swamping Internet-connected servers and networks with large volumes of data—so-called "volumetric attacks." They also used application-layer attacks to bring down services by specifically targeting Web servers, databases and routers with requests that taxed processors and memory, slowing down the device and applications to a standstill. These application-layer attacks also increased in 2013, but not at the same frenetic pace as volumetric attacks, Sockrider said.

Almost one-quarter of all attacks attempted to create a denial-of-service condition by targeting applications, according to Arbor's report. Most of the attacks—54 percent--used encrypted HTTP as a way to get past firewalls and intrusion detection systems, up from 37 percent in 2012 and 24 percent in 2011.

"Using HTTPS is primarily for obfuscation, to get past traditional security appliances," Sockrider said.

Political and ideological hacktivism topped attackers' reasons for targeting specific victims. About 40 percent of attackers claimed an attack was for a political or ideological purpose, while one-third of attacks were related to online gaming.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...