Large Internet organisations believe ideological and political motivations have become the single commonest motivation behind the DDoS attacks hitting their networks, a survey of major Internet firms by has found.

As expected, Arbor Networks’ annual Infrastructure Security Report survey of 114 tier 1 Internet infrastructure firms, hosting companies and large enterprises found that DDoS attack size has edged up between 2010 and 2011, with 13 percent now reporting attacks sizes above 10Gbps.

If this is a levelling off on the attack sizes increases seen in previous year that probably has to do with attackers having found a sweet spot that overwhelms most defences without the need to grow larger still.

Nine out of ten said they’d seen at least one DDoS attack per month, up from about three quarters in 2010. Forty-four percent experienced 10 or more attacks per month, also up from the 35 percent mark.

A rising proportion of DDoS is now application-layer attacks while volumetric packet attacks have probably passed their zenith.

The surprise was the low ranking accorded to traditional extortion-related and competitive/business attacks, cited as a motivation only 18 and 19 percent of the time respectively, far behind ‘political and ideological’ which topped the anxiety table at 35 percent. ‘Vandalism’ came second on 31 percent.

This is an important development for large firms because ideological attackers are unlikely to cease DDoS after an objective has been achieved; fending off small groups of determined attackers on a more or less continuous basis could be the new normal.

“We think that what’s changed is the speed at which companies can be targeted,” said Arbor’s EMEA solutions architect, Darren Anstee.

“It is not just the things [a company does] but the fact they are in a supply chain or a certain country,” he said explaining what could turn an organisation into a target for ideologically-motivated DDoS.

The number of vendors reporting that a DDoS had taken down a firewall or Intrusion Prevention system was hardly changed year on year at the 40 percent mark.

Separately, DDoS defence vendor Prolexic published its Q4 2011 attack report, finding a shift to application layer DDoS and an average attack bandwidth of 5.2Gbps. Attack duration has dropped to 34 hours but this was offset by a large rise in packet-per second volume.

“Based on fourth quarter statistics, Prolexic predicts that 2012 will feature DDoS attacks that will be shorter in duration, but much more devastating in terms of packet-per-second volume,” said Prolexic CTO, Paul Sop.  

“Think of it this way.  In the past, attackers had a rifle.  In 2012, they have a machine gun with a laser site.”  Prolexic predicted this increase in PPS volume in its previous attack report and noted that attackers were changing their strategy.