Analyze This: Denial of Service Attacks

Brian Wood Blog

Below is a short but fascinating article revealing the recent rise in terms of volume and severity of denial of service (DoS) attacks globally.

No longer is DoS — or DDoS  — the main event; more and more it is becoming the diversion so that the “real” intrusion can take place unnoticed.

Article by Bruce Upbin in Forbes.

Emphasis in red added by me.

Brian Wood, VP Marketing


The Internet’s Aswarm In Denial Of Service Attacks And It’s Getting Worse

The denial of service attack gets few props for novelty in a field that prizes novelty.

In a denial of service (DoS) attack, hackers flood a Web site or application with pointless requests that clog or overwhelm network resources and potentially shut it down.

DoS is a cudgel, not a lockpick designed to open up sensitive areas. Lately, though, its perpetrators are making up in volume what they’ve lacked in flair.

The chart below shows the biggest DDoS attacks by month, measured in billions of bits (gigabits) per second by security firm Arbor Networks. Most of these are DDoS attacks, the extra D stands for distributed, or originating from multiple computers. The spikes are getting higher, peaking with a 320 Gbps attack in February. That same month Cloudflare tracked a 400 Gbps attack.

These are whoppers, people. A single DDoS surge of 100 gigabits per second is enough to disrupt most corporate networks. 300 gigs could flatten one.


Peak DDoS attacks by month. Source: Arbor Networks/ATLAS. Click image to enlarge.

Something has changed in the security landscape when you’re seeing spikes like these. Attacks larger than 20 gigabits per second rose eightfold in 2013 compared with 2012. As of April 2014 the Neustar Security Operations Center had already dealt with more than twice as many 100-plus Gbps attacks compared to all of last yearThe average DDoS attack has gone up in size but is still in the range of 1 to 5 Gbps.

DoS was always seen as bothersome but not lethal. The cost is in downtime ($1 million/day on average). But security experts say these quick, sharp DDoS attacks are often smokescreening, a diversionary tactic from the main break-in for credit card numbers or other sensitive data. Hackers are also increasingly able to amplify their DDoS attacks by going after vulnerable Internet servers known as NTP or UDP servers that are fooled into thinking the packet is coming from the targeted server so they dutifully spew out vast quantities of responses to a target IP address. Depending on how powerful and networked the vulnerable server is, an attacker with a mere 1 Gbps connection can generate a 200 Gbps DDoS attack.

The sources and destinations of DDoS attacks vary as widely as the country pairs mapped above. To map the threat, we pulled a year’s worth of 1 Gbps-or-more DDoS attacks from the Arbor database, which attempts to determine the country of origin. And you thought China was bad. The huge unknown category underscores the difficulty in tracking down the origins of attacks, which can bounce from offshore servers.


Sources and destinations of DDoS attacks bigger than 1 gigabit per second.

Everyone is playing the game. The chart at the top of the post shows a year’s worth of DDoS attacks mapped by nation to see who hit whom most often (or at least where the hackers pretended to be coming from). The battle lines are not easily drawn. The U.S. and China are under the heaviest attack and are the countries from which the most cybergrenades are thrown. (Percentages shown are the portion of total attacks from the originating nation. The unknowns are huge because the attackers are good at covering their tracks.)

–Data visualizations by Maxwell Henderson.