DDoS Attackers, Network Defense Firms Record Banner Year

A quarterly analysis of distributed denial-of-service (DDoS) attacks finds that the incidents have increased in number, volume and duration.

In the last quarter of 2012, distributed denial-of-service (DDoS) attacks increased in quantity, bandwidth and duration, with seven attacks topping bandwidths of 50G bps, Internet protection firm Prolexic stated in a report released on Jan. 17.

Much of the increase can be blamed on the activities of the claimed hactivist group known as the Izz ad-Din al-Qassam Cyber Fighters, which has targeted U.S. financial institutions with large-bandwidth attacks launched from compromised content-management servers. Yet the same toolkit that flooded banking sites with data has also targeted e-commerce and software-as-a-service companies, Prolexic stated in the report.

"These attacks have been very, very large and very complex and they are targeting the large enterprise customers, which are the more challenging ones to defend against because they have so much Internet-facing IP-address real estate," said Scott Hammack, CEO of Prolexic.

The number of attacks encountered by Prolexic in the quarter grew by nearly 28 percent, and the average bandwidth used in each attack topped 5.9G bps, up from less than 5G bps the previous quarter. The average attack duration increased to 32.3 hours, a 67 percent increase over the 19.2 hours a typical attack lasted in the third quarter of 2012. Previously, Prolexic had noted a trend toward shorter attacks.

The dramatic changes in attacks have much to do with attackers' shift to creating botnets using compromised high-bandwidth servers, rather than the motley mobs of infected home desktop computers that comprised earlier botnets. A decade ago, you would only see a 50G-bps attack a couple of times a year, but now such attacks happen nearly every week, Hammack said.

In addition, attackers are more directly controlling the attacks, according to Prolexic's data. Rather than launching a scripted flood of data, attackers are starting an operation, checking whether the selected tactics are having an impact and then changing the type of attack or the target depending on the result.

"In these latest rounds of attacks, the attackers are using what is essentially push technology," said Hammack. "They are directly controlling the bots in real time. They can, in real time, change the attack vectors or what IP they are attacking."

With such brazen attacks increasing, it is not surprising that companies that protect against denial-of-service attacks, such as Prolexic, have done well. In 2012, Prolexic's revenue increased by about two-thirds and its bookings nearly doubled, the company announced earlier in January. To keep up with attackers, the company increased its network capacity to handle 800G bps and boosted the number of employees by 60 percent.

The trend toward larger and more numerous attacks will likely continue, said Hammack.

"Like a lot of things, it ebbs and flows, but the general trend has been above linear," he said. "I think the techniques get better and better and servers are spinning up at geometric rates, so the vehicles are there to be exploited."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...