New Report: Latest DDoS Trends

The distributed denial of service threat continues to increase. Corero recently published our 2018 DDoS Trends Report, and the findings suggest that enterprises and service providers have ample reason to put DDoS mitigation at the forefront of their cybersecurity strategies. The report contains observations from DDoS attacks launched against Corero customers in 2018, as well as comparisons to previous years.

Corero has once again observed a year-over-year increase in the frequency of attacks against our customers. In the past year, Corero’s SmartWall® Threat Defense System protected our customers from an average of 8 attacks per day, an increase of 16% compared to 2017. The sophistication of DDoS attacks continues to develop, with multi-vector attacks being used more frequently in the past year. These attacks are popular as they present a significant detection and mitigation challenge for legacy and homegrown DDoS protection solutions, due to their varying amplitude, ports and protocols.

Attack duration and intensity

Corero continues to find that lower volume, sub-saturating attacks dominate the landscape; this is not surprising, because such attacks are also able evade legacy DDoS solutions. This is important, because small DDoS attacks can be just as troublesome as high-volume ones, as 1) they can overwhelm stateful infrastructure devices, including routers and firewalls, or consume web and application server resources, which impacts the overall experience for end-users; 2) they consume IT security staff time for troubleshooting; and 3) they can serve as a key vector in more sophisticated cyber-crime activities.

Corero also found that the average attack is getting shorter in duration, with an increasing majority now lasting less than 10 minutes. The long-term trend of a reduction in the percentage of attacks that last over 20 minutes also continues, with a further decline in average duration. In 2018, only 12% of attacks lasted longer than 20 minutes; down from 19% in 2017.

New insights about link saturation levels

One new insight for this report, is the tracking of link saturation events. Corero analyzed hundreds of thousands of attacks during the full-year period and found that less than 0.6% resulted in one 10G link being saturated, which is judged as being greater than 95% utilization, also known as “full pipe.” Furthermore, of those 0.6% of attacks that caused a link to reach 95% utilization, the vast majority (>95%) of those saturated attacks lasted less than 10 minutes. This validates our earlier findings, i.e. large volumetric attacks that consume a network’s entire bandwidth are highly unusual. Organizations should be more concerned with these sub-saturating attacks that negatively effect, but do not overwhelm, network service, as they are often just attributed to some unexplained anomaly.

Evidence of indiscriminate attacks

During 2018 Corero observed worrying evidence of DDoS attacks that disrupt larger numbers of victims but exhibit no obvious or specific targeting. More targets—and therefore victims—are being caught up in the malicious activity, resulting in a new DDoS risk to innocent bystanders.

Amplification of attacks

Analysis of DDoS Amplification sources during 2018 reveals that the availability of vulnerable UDP servers continues to be a worldwide problem. There is a difference in the mix of available amplifiers, but the overall situation appears to indicate every region is still home to a large number of problematic, exploitable, resources.

To learn Corero’s recommendations for protecting against evolving DDoS threats, download the complete report here. Corero provides best-in-class, automated, real-time DDoS protection solutions for customers across the globe; to learn how we can help you protect your organization from the increasing DDoS threat, contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.