As part of its 13th Annual Worldwide Infrastructure Security Report (WISR), Arbor Networks, the security division of NETSCOUT, has released its ATLAS (Active Threat Level Analysis System) special report, which collates data from NETSCOUT Arbor SP deployments from across the globe.
ATLAS effectively delivers insight into approximately one-third of global internet traffic, drawing information and statistics from over 400 networks. This data is gathered and analysed to determine key trends in DDoS (Distributed denial-of-service) attack activity and results in several interesting insights.
(TOP: Bryan Hamman, Arbor Network’s territory manager for sub-Saharan Africa).
“DDoS attacks are measured in different ways,” says Bryan Hamman, Arbor Network’s territory manager for Sub-Saharan Africa. “Volumetric attacks (75.7 percent of all attacks over the period) are often the most destructive as they send a high amount of traffic, or request packets, to a targeted network in an effort to overwhelm its bandwidth capabilities.
“These attacks work to flood the target in the hopes of slowing or stopping their services and, while typically request sizes are in the 100s of Gbps, recent attacks have scaled to over 1Tbps.”
This year’s report revealed a decline in peak DDoS size however, from 800Gbps in 2016 to 600Gbps in 2017, but that doesn’t mean attackers weren’t busy, adds Hamman.
Although the number of attacks over 100 Gbps in 2017 is down from last year, the overall mix of attack sizes is still shifting up. This year, the percentage of attacks over 1Gbps has increased to 22 percent, growing three years in a row, although the vast majority of attacks, 87 percent, are still smaller than 2Gbps.
“Furthermore, peak attack size might have decreased but ATLAS observed an increase in the number of attacks, reporting 7.5 million attacks in 2017 as opposed to the 6.8 million in 2016.”
Arbor believes this is an indication of attacker innovation as they develop new attack vectors and use new tools, like the Mirai botnet’s ability to launch application-layer as well as volumetric attacks.
Hamman says that this year, it was decided to extend analysis to include different geographical regions, including South Africa.
“Looking at the top 10 countries attacked in 2017, it was interesting to note that the first four spots are exactly the same as last year, with similar percentages – these being United States (24 percent), South Korea (10.3 percent), China (8.7 percent) and France (4.6 percent). South Africa features in the top 10 targeted countries in eighth position with 2.7 percent of all reported attacks being targeted here,” he explains.
“For attacks greater than 10Gbps by percentage, South Africa was positioned third for having been hit by 8.8 percent of all attacks in this size range following Hong Kong (10.2 percent) and the US (32.5 percent).”
These statistics are a stark and repeated warning to South African businesses, Hamman states.
“Complexity was a big focus for attackers this year, as opposed to mass attack volumes, with IoT devices being weaponised. This change in approach has been effective too,” he continues. “Enterprises experiencing revenue loss due to DDoS almost doubled this year, bringing the significance of the DDoS threat into sharp relief and highlighting the very real need for an integrated multi-layer defence from the data centre to the cloud.”