The number of DDoS attacks reached their highest ever level for a single quarter in the last three months of 2012, recording a 19 percent year-on-year growth, mitigation vendor Prolexic has reported.
The key to understanding DDoS trends is deciding what actually matters. Is it the total number of attacks, their average size, the number of rarer massive attacks, or the type of attack employed?
Judging from Prolexic’s customer base, the news is mostly bad. With the exception of a slight drop in attack duration to 32 hours compared to Q4 2011, all the other DDoS numbers show a modest but unmistakable shift towards red.
Year-on-year average attack bandwidth rose from 4.9Gbps to 5.9Gbps, with attack volumes jumping a notch in 2012 compared to a year earlier.
Three quarters of attacks are still at layer 3 and 4, which means they are packet-based attacks targeting network infrastructure; the remaining 25 percent are more complex layer 7 attacks that try to overload applications.
The company detected seven attacks greater than 50Gbps, it said, with one or two above even that huge level.
The deeper question worth asking is whether the numbers really help explain changes in the motivation of those doing the attacking or on whose behalf attacks are being carried out.
Prolexic underlines the rise of one botnet attack tool in particular, itsoknoproblembro, as being noteworthy for its connection to a number of highly targeted attacks on the US financial sector during the second half of 2012.
Prolexic doesn’t say it but these have been serious enough to catch the attention of the US authorities which now suspect a state-sponsored attack on US banks by Iran.
The challenge of itsoknoproblembro is its sophistication, allowing “automated reconnaissance, exploitation, infection and attack management,” to borrow Prolexic's own description.
More than half of attacks originate in China (which doesn’t mean they’re necessarily under Chinese control), followed by Germany, India, Egypt and Pakistan with between roughly five and ten percent each.
“The fourth quarter was defined by the increasing scale and diversity of DDoS attacks. While bandwidth attacks of 20 Gbps were the story last quarter, 50 Gbps is more relevant now,” said Prolexic CEO, Scott Hammack.
“The take away for businesses from this Q4 report is to make sure that their DDoS mitigation provider can handle attacks in excess of 50 Gbps in a single location,” he added.
“When attacks are this large, it’s important that the provider can mitigate this volume of attack traffic in one place and distribute it effectively so it does not compromise intermediary transit providers and affect others.”