Arbor Networks Inc, a US-based provider of DDoS and advanced threat protection products for enterprise and service provider networks, has released its second quarter of 2015 global DDoS (denial of service) attack data. According to the IT firm that shows strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective.
The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to enterprise networks is the growth in the average attack size. In Q2, 21 per cent of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range. However, there was also a significant spike in the number of attacks in the 50 – 100GB/sec range in June, mainly SYN Floods targeting destinations in the US and Canada.
Arbor’s Chief Security Technologist Darren Anstee said: “Extremely large attacks grab the headlines, but it is the increasing size of the average DDoS attack that is causing headaches for enterprise around the world. Companies need to clearly define their business risk when it comes to DDoS. With average attacks capable of congesting the Internet connectivity of many businesses it is essential that the risks and costs of an attack are understood, and appropriate plans, services and solutions put in place.”
Active Threat Level Analysis System
Arbor’s data is gathered through ATLAS, a collaborative partnership with more than 330 service provider customers who share anonymous traffic data with Arbor to deliver what the IT firm calls a comprehensive, aggregated view of global traffic and threats. ATLAS collects 120TB/sec of Internet traffic and is the source of data for the Digital Attack Map, a visualisation of global DDoS attacks created with Google Ideas.
Reflection amplification
Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. This technique relies on two unfortunate realities, according to the firm: firstly, many service providers still do not implement filters at the edge of their network to block traffic with a ‘forged’ (spoofed) source IP address; secondly, there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated. The majority of very large volumetric attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world.
Meanwhile apps on Samsung devices leak passwords five times more frequently than apps on iPhones, according to a study from a US-based advanced mobile threat prevention product firm. Eldar Tuvey, CEO of Wandera, said “Enterprises remain unaware of so many of the specific risks of enterprise mobility, from man-in-the-middle attacks to Wi-Fi security and roaming bill shocks. Our aim with this report is to move IT departments’ understanding of these threats from the theoretical to the tangible and quantifiable.”
Wandera highlighted what it sees as the ‘weakest link in the chain’ – browser threats. Browser threats are commonly ignored by the mobile security community when it comes to mobile devices, yet Wandera believes that it is a vector for the next growth phase on mobile malware. In the report Wandera revealed the most visited malware sites by devices in its network are all on a .ru domain name.
Enterprise employees are also becoming more aware of the “bill shock” dangers of roaming, changing their mobile usage habits outside their “home” countries. As a proportion of all data usage, roaming only comprised 16 per cent this quarter – a reduction of 2 per cent compared to the end of 2014. The proportion of mobile video usage dropped from 16 per cent and the top type of data usage domestically, to only 5 per cent abroad and one of the lowest types; social network usage drops from 12 per cent to 6 per cent. However, unsurprisingly, mapping software is used 75 per cent more when employees are out of the country.
Wandera also reported on the three instances of the highest “bill shock” in the past year as reported by its clients. Two occurred in France – the first was an example of Google Maps running in the background resulting in a bill of 8000 euros, while the second incurred €15,000 of charges just from photo sharing and accessing iCloud. Another user ran up a bill of £33,000 for video and music streaming while in the UK.
Tuvey added: “While overall understanding of the roaming risk is improving, it only takes one error to incur massive charges and prove that bill shock still very much exists. Data compression and policy enforcement at home and abroad can not only save enterprises a significant amount of budget – it can also save the enterprise IT department from having to trust in staff understanding the risks of roaming. They don’t need to know which services rely on data, or resort to largely ineffective requests to staff to limit their data usage.” Visit https://www.wandera.com/.
