Distributed Denial of Service attacks remain unpredictable and persistent, and vary widely in volume, speed and complexity according to Reston, Va.-based Verisign’s DDoS Trends Report for the first quarter of 2017.
While Verisign saw a 23% decrease in DDoS attacks during the first quarter, the average peak attack size increased 26% compared to the previous quarter.
Attackers also launched sustained and repeated assaults against their targets. Verisign observed almost 50% of its customers who experienced DDoS attacks in Q1 2017 were targeted multiple times during the quarter.
The financial sector continues to be a constant target for DDoS attacks. In Q1 2017, Verisign’s financial sector customers experienced the second highest number of DDoS attacks (28%) of any industry sector within Verisign’s customer base (a large increase from only 7% during the prior quarter). IT services/cloud remained the sector with the largest number of DDoS attacks in Q1 2017.
The report contains observations and insights derived from DDoS attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from Jan. 1, 2017 through March 31, 2017.
Here are three other key observations from the Verisign DDoS Trends Report:
Multi-vector DDoS attacks are the norm. Fifty-seven percent of DDoS attacks mitigated by Verisign in Q1 2017 employed multiple attack types. Verisign observed DDoS attacks targeting victim networks at various network layers and attack types changing over the course of DDoS events, thus requiring continuous monitoring to optimize the mitigation strategy.
Types of DDoS attacks. User-datagram-protocol flood attacks continue to lead in Q1 2017, making up 46% of total attacks. The most common UDP floods mitigated were domain name system reflection attacks, followed by network time protocol and simple service discovery protocol reflection attacks. While UDP-based attacks continued to dominate the types of attacks deployed, the number of transmission control protocol-based attacks increased.
Largest volumetric attack and highest intensity flood. A multi-vector attack that peaked over 120 Gbps and around 90 Mpps. This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack.
To combat these attacks, it is becoming increasingly important to monitor attacks constantly for changes in order to optimize the mitigation strategy.
“As distributed denial-of-service attacks increase in complexity and size, combating them becomes more challenging. Organizations not only need the right technology capable of meeting this growing threat, but also the right human element,” Verisign suggested.
