Catching on to bad guys’ leveraging the Network Time Protocol (NTP) vulnerability to create distributed reflection denial of service (DrDoS) attacks, security professionals severely slowed these types of amplified assaults.
By patching the weaknesses or making upgrades in their systems, there was an 86 percent drop in the peak bit volume of NTP DrDoS attacks to 59 gigabits per second (Gbps) in Q2 2014, according to the Q2 2014 Threat Report by security provider Black Lotus.
In contrast, traditional multi-vector attacks against servers and websites resurfaced as the most frequent, severe threat to enterprises and service providers, with a 140 percent increase in TCP SYN and HTTP GET types of attacks in the same period, the report said. Enterprises and operators need to protect against SYN flood attacks, which, although smaller in size, are highly effective and difficult to stop without purpose-built commercial DDoS mitigation hardware or services.
The report covers DDoS attack data between April 1 and June 30, 2014, and shows the company’s customers experienced a drop in the volume of total attacks by 40 percent, and attacks characterized as severe (having high traffic levels) decreased by 15 percent.
Beginning in March 2014, the patched or upgraded servers and diminishing returns of NTP DrDoS attacks that malicious parties encountered led to a drastic decrease in the maximum attack size quarter-over-quarter. Unlike the NTP DrDoS vector from Q1 2014, SYN floods target the service port, which makes it impossible to request assistance from upstream IP carriers or to block the attack on one’s own router.
Attackers will continue to use DrDoS attacks whenever possible, resorting to non-amplification attacks when there are not enough vulnerable systems available to exploit, the researchers said.
The report findings also show:
• The largest DDoS attack observed during the report period was on May 20. It was 59 Gbps and 29 millions of packets per second (Mpps), a sharp decline in volume due to NTP and other variants of amplification attacks becoming more difficult to execute after enterprises patched their systems.
• Of the 276,447 observed attacks, Black Lotus regarded 46,936 (17 percent) of them as severe, characterized by extreme traffic levels compared to the target’s typical traffic baseline.
• The average attack during the period reported was 2.9 Gbps and 1.4 Mpps, consistent with the previous quarter, indicating that networks must maintain a DDoS mitigation defense capable of at least 5 Gbps to safely defend against the majority of attacks.
• During the reporting period, 70.3 percent of severe attacks targeted servers and applications, most commonly HTTP servers and domain name services (DNS). Attacks on either application can result in site outages and are difficult to mitigate without professional assistance.
Click here to register for the report.