5.3 DDoS Attacks
5.3.1 Attack Trend
In 2018, we observed 148,000 DDoS attacks (down 28.4% from 2017), which generated a total of 643,100 TB of attack traffic, about the same volume as observed in 2017. This trend suggests that
while the number of DDoS attacks is lower, the size of the attack are growing. Large and medium-size attacks are on the rise.
In 2018, the number of DDoS attacks dropped significantly, driven by effective fortifications against reflection attacks. Since the beginning of 2018, the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) has deployed its provincial branches, in cooperation with carriers and cloud service providers around the country, in a special campaign against DDoD reflection attack resources in China by, for example, identifying bogus source IP addresses and making reflection attack sources known to the public. These governance measures have effectively reduced the success rate of reflection attacks, forcing attackers to resort to other means. According to statistics, in 2018, the number of reflection attacks did decrease 80%, but other DDoS attacks increased 73%. As a result, reflection attacks accounted for only 3% of all DDoS attacks.
In the first half of 2018, the number of DDoS attacks increased slowly. However, in the second half the DDoS attacks quickly ramped upwards. We believe that the month-to-month increase in the number of DDoS attacks was linked with the fall of cryptocurrency prices. In the 2017 DDoS and Web Application Attack Landscape 612 , we pointed out that, with the appreciation of cryptocurrency, hackers began to divert prime botnet resources to cost-efficient cryptomining activities and away from costly DDoS attacks. In 2018, the price of cryptocurrency dropped, leading to decreased profits from cryptomining, which in turn made DDoS attacks more attractive and led to the monthly increases. Comparing the monthly Bitcoin price with the monthly DDoS attack traffic, we get the Pearson correlation coefficient of –0.48, indicating a negative correlation between the two, which validates our results.
In recent years, super-large attacks have emerged and constantly grown in the peak size. In March 2018, the well-known code hosting website GitHub was hit by a DDoS attack peaking at 1.35 Tbps, the largest attack size seen until then. As of the time of writing, the peak traffic rate of DDoS attacks had kept increasing and has reached a record high of 1.7 Tbps713. Monthly statistics of the past two years reveal that the number of large attacks with a peak rate of more than 100 Gbps have rapidly increased. This indicates that the scale of attack resources controlled by attackers is expanding and their attack capabilities are constantly being upgraded.
Improving DDoS attack capabilities and the record high average peak sizes both point to DDoS attacks are becoming increasingly more destructive. In fact, most hackers can now easily generate huge amounts of attack traffic and their capabilities are still growing rapidly. Security professionals need to pay attention to this alarming trend and take appropriate action.
To be continued.
12 https://nsfocusglobal.com/2017-attack-landscape-report/
13 https://www.wired.com/story/github-ddos-memcached/
