Home / / 'Unprecedented' spike in DDoS attack size reported

'Unprecedented' spike in DDoS attack size reported

Spike driven by proliferation of NTP reflection/amplication attacks, says Arbor Networks

Average NTP traffic globally in  February 2014 was 351.64 GB/s, Arbor said
Average NTP traffic globally in February 2014 was 351.64 GB/s, Arbor said

Arbor Networks has reported an "unprecedented" spike in the size of volumetric DDoS attacks in Q1 2014, driven by the proliferation of NTP reflection/amplification attacks.

The report was released along with data derived from Arbor's Atlas threat monitoring infrastructure, a collaborative effort made up of 300 service provider customers which share anonymous traffic data with the vendor.

The data showed that average NTP traffic globally in November 2013 was 1.29 GB/s, but by February 2014, it was 351.64 GB/s. NTP was in 14% of DDoS events overall, but 56% of events over 10 GB/s and 84.7% of events over 100 GB/s, Arbor said.

"The spike in the size and frequency of large attacks so far in 2014 has been unprecedented," said Arbor's director of solutions architects, Darren Anstee. 

"These attacks have become so large, they pose a very serious threat to Internet infrastructure, from the ISP to the enterprise."

NTP is a UDP-based protocol used to synchronise clocks over a computer network. Any UDP-based service including DNS, SNMP, NTP, chargen, and RADIUS is a potential vector for DDoS attacks because the protocol is connectionless and source IP addresses can be spoofed by attackers who have control of compromised or ‘botted' hosts residing on networks which have not implemented basic anti-spoofing measures. 

Arbor said that NTP is popular due to its high amplification ratio of approximately 1,000 times. Furthermore, attacks tools are becoming readily available, making these attacks easy to execute, the vendor added.