Black Lotus Threat Report Reveals 140 Percent Increase in Multi-Vector DDoS Attacks in Q2 2014

Widespread awareness of NTP DrDoS vulnerability causes cyber attackers to return to tried-and-true methods

SAN FRANCISCO--()--Wise to attackers’ exploitation of the Network Time Protocol (NTP) vulnerability to create distributed reflection denial of service (DrDoS) attacks, information security executives thwarted these types of amplified assaults by patching weaknesses or making upgrades in their systems associated with the protocol, causing an 86 percent drop in the peak bit volume of NTP DrDoS attacks to 59 gigabits per second (Gbps) in Q2 2014. In contrast, traditional multi-vector attacks against servers and websites have resurfaced as the most frequent, severe threat to enterprises and service providers, with a 140 percent increase in TCP SYN and HTTP GET types of attacks in the same period. Enterprises and operators are cautioned to protect against SYN flood attacks, which, although smaller in size, are highly effective and difficult to stop without purpose-built commercial DDoS mitigation hardware or services. That warning was issued today via the Q2 2014 Threat Report by Black Lotus, a leader in availability security and provider of distributed denial of service (DDoS) protection. Black Lotus compiles its quarterly Threat Reports by drawing on the latest attack data from its network logs and analyzing the results for trends in attack size, duration, method, source and other characteristics.

The Threat Report, which covers DDoS attack data between April 1 and June 30, 2014, shows that Black Lotus customers experienced a drop in the volume of total attacks by 40 percent, and attacks characterized as severe (having high traffic levels) decreased by 15 percent. These changes can be attributed to attackers resorting to more complex attacks, such as SYN floods and application layer attacks, instead of amplification attacks.

Beginning in March 2014, the patched or upgraded servers and diminishing returns of NTP DrDoS attacks that malicious parties encountered led to a drastic decrease in the maximum attack size quarter-over-quarter. Unlike the NTP DrDoS vector from Q1 2014, SYN floods target the service port, which makes it impossible to request assistance from upstream IP carriers or to block the attack on one’s own router. Black Lotus expects attackers will continue to use DrDoS attacks whenever possible, resorting to non-amplification attacks when there are not enough vulnerable systems available to exploit.

The report findings also show that:

  • The largest DDoS attack observed during the report period was on May 20. It was 59 Gbps and 29 millions of packets per second (Mpps), a sharp decline in volume due to NTP and other variants of amplification attacks becoming more difficult to execute after enterprises patched their systems.
  • Of the 276,447 observed attacks, Black Lotus regarded 46,936 (17 percent) of them as severe, characterized by extreme traffic levels compared to the target’s typical traffic baseline.
  • The average attack during the period reported was 2.9 Gbps and 1.4 Mpps, consistent with the previous quarter, indicating that networks must maintain a DDoS mitigation defense capable of at least 5 Gbps to safely defend against the majority of attacks.
  • During the reporting period, 70.3 percent of severe attacks targeted servers and applications, most commonly HTTP servers and domain name services (DNS). Attacks on either application can result in site outages and are difficult to mitigate without professional assistance.

“Since patched systems now make it easier to combat NTP threats, recent attacks have drastically decreased in volume when malicious users were unable to use a sufficient quantity of vulnerable systems in amplification,” said Jeffrey Lyon, co-founder of Black Lotus. “However, enterprises should evaluate their protection against multi-vector attacks, since attackers can use SYN floods and application layer attacks to inundate networks, cause outages or disable serving content to legitimate users even without generating large bit volumes of traffic.”

Download the full Black Lotus Q2 2014 Threat Report for more details.

About Black Lotus Communications

Black Lotus Communications is a security innovator that pioneered the first commercially viable DDoS mitigation solutions. These advanced solutions enhance the security posture of small and medium businesses and enterprise clients while reducing capital expenditures, managing risk, ensuring compliance, and improving earnings and retention. Breakthrough developments at Black Lotus include the world's first DDoS-protected hosting network, the first IPv6 DDoS mitigation environment, and the first highly effective Layer 7 attack mitigation strategy. For more information, visit www.blacklotus.net or follow Black Lotus on Twitter at https://twitter.com/ddosprotection.

Contacts

For more information, please contact:
Metis Communications
Justine Boucher, 617-236-0500
blacklotus@metiscomm.com

Release Summary

Black Lotus found multi-vector DDoS attacks against servers and websites have resurfaced as the most frequent, severe threat to enterprises and service providers, with 140 percent increase during Q2.

Contacts

For more information, please contact:
Metis Communications
Justine Boucher, 617-236-0500
blacklotus@metiscomm.com