DDoS perpetrators changed tactics to amplify attack sizes and hide identities
Even though Q3 is typically one of the quieter quarters for distributed denial of service (DDoS) attacks, a lot happened in Q3 2013 – and it’s all captured in Prolexic’s latest Quarterly Global DDoS Attack Report. After analyzing data collected during Q3 from DDoS attacks directed against Prolexic’s global client base, a clear shift in attack methodologies emerged.
The different attack types and their use in Q3 are reflected in the chart below:
A small percentage reduction was observed for application attack vectors during Q3 2013 when compared to the previous quarter. Application attacks declined slightly to 23.48 percent this quarter, down from 25.29 percent in Q2 2013. An incremental change within application layer attack vectors was also noted. In comparison with the same quarter one year ago, application attacks have increased by almost 6 percent (from 17 percent to 23 percent).
Infrastructure attacks, which totaled 76.52 percent in Q3 2013, still represent the majority of attacks observed and mitigated. There was a small (2 percent) increase compared to last quarter (76.52 percent vs. 74.71 percent) and an approximately 4 percent reduction when compared to Q3 2012 (76.52 percent vs. 81.40 percent). A year ago (Q3 2012), application attacks represented approximately 19 percent of all attacks, while this quarter, the total percentage of application layer attacks rose to 23 percent, an increase of approximately 4 percentage points.
The use of application-based attacks is still consistent, though some of the major campaigns that used web-based attack vectors have subsided. Worth noting is the increased of use of CHARGEN in distributed reflection denial of service (DrDoS) attacks, which has been seen in several recent campaigns as a primary attack vector. A significant shift to reflection-based attack vectors has also been observed, rising 69 percent compared to the previous quarter, and 265 percent when compared to the same quarter one year ago.
Summary highlights from Prolexic’s Q3 2013 Global DDoS Attack Report
Compared to Q2 2013
Compared to Q3 2012
While Q3 is typically a less active quarter, there are always exceptions. In Q3 2012, there was a very high level of DDoS activity due Operation Ababil launched by the Izz ad-Din al-Qassam Cyber Fighters against U.S. financial institutions. This quarter was also active as the total number of attacks against Prolexic’s client base reached an all-time high for one quarter. Although the percentage increase over Q2 2013 was nominal, it indicates a consistently heightened level of DDoS activity around the world over the last six months. Of note, more than 62 percent of Q3 DDoS attacks originated from China, far surpassing all other countries.
For the quarter, average peak bandwidth totaled 3.06 Gbps and average peak packets-per-second (pps) totaled 4.22 Mpps. The largest attack Prolexic mitigated during Q3 was directed at a European media company, peaking at 120 Gbps.
A complimentary copy of Prolexic’s Q3 2013 Quarterly Global DDoS Attack Report is available as a free PDF download from www.prolexic.com/attackreports. Prolexic’s Q4 2013 report will be released in the first quarter of 2014.