New research from DDoS protection specialist Black Lotus shows that cyber attack incidents have continued to decline throughout this year.
There were 201,721 incidents in the third quarter of this year (down from 462,621 in Q1 2014 and 276,447 in Q2). This can be attributed to the security industry’s increased knowledge and filtering against NTP DrDoS types of attacks, as well as more proactive activity to stop malicious attacks before or as soon as they’re detected.
The character of DDoS attacks is changing too. The average attack bit volume is increasing while the average packet volume is going down. A change of attack methods used, from large volumetric network-based attacks to more complex multiple vector attacks with application layer attacks and SYN flood attacks blended together accounts for this change.
DDoS attacks have declined in peak size and total incident count as NTP DrDoS attacks have largely subsided. This is thanks to better awareness in the security community about the threat of vulnerable NTP daemons, prompting administrators to upgrade from vulnerable versions and, in some cases, prompting network operators to filter potentially malicious NTP traffic.
When more effective zero day attacks aren’t possible, attackers will often fall back to tried and tested methods of attacking systems. These include SYN floods and application layer attacks, which are often launched in tandem. The largest bit volume attack observed by Black Lotus in the last quarter was the result of a SYN flood against a Web server, largely sourced from Chinese networks.
Whilst most still come from China, the US and Russia, DDoS attacks are increasingly originating from Vietnam, India and Indonesia. These countries have large number of compromised mobile end point devices which makes them prime sources of newly created botnets.
SYN flood attacks aren’t as dangerous to providers of internet infrastructure, since the bit and packet volumes are much lower and within the capacity of many tier 1 networks. However, they continue to pose a serious threat to service providers and enterprises that don’t have significant excess capacity and DDoS mitigation solutions in place.