Arbor gets its numbers from Peakflow SP sensors in 330 customers’ premises feeding into the firm’s Atlas system, which it backs up with manual surveys of important ISPs and providers not contributing to this system.
The largest attack recorded by Atlas was 325Gbps, one of a handful of attacks that exceeded 2013’s peak attack size of 245Gbps. In 2013, the system noticed 39 attacks above 100Gbps, which compares to 159 for last year, a fourfold increase.
A closer look reveals that most of 2013’s big attacks occurred in the last quarter, a trend that carried on over 2014, underlining that something is going on. As for the 400Gbps attack, that was reported to Arbor by a third party and the firm was not able to confirm many details beyond its size.
Increasingly, the culprit is Network Time Protocol (NTP), an important but otherwise totally ignored way for the Internet to keep its routers and server infrastructure synchronised with UTC. Not long after an infamous attack on Spamhaus in early 2013, which used something called DNS amplification to summon up potentially vast amounts of traffic, someone worked out that other protocols were open to the same trick.
NTP turned out to be a good candidate for the same spoofing/amplification treatment, notably during the attack on CloudFlare a year ago, the one Arbor mentions as hitting 325Gbps.
It might be assumed that massive DDoS attacks on the scale of the signal Spamhaus attack would be publically acknowledged but this is far from the case. ISPs and Content Delivery Networks (CDNs) continue to see them as localised issues that crop up from time to time and are nobody’s business.
Nobody else sees these attacks (customers’ pipes are typically far below the maximum size of massive DDoS events anyway) and they most definitely don’t ‘slow the Internet’ as daft stories claimed after the Spamhaus attack. What they do is to seriously annoy ISPs, the organisations that have to silently manage the traffic.
According to Arbor, the peak NTP storm was during the spring of 2014, but it’s noticeable that average NTP traffic then fell back to what are still historically high levels around the 120Gbps mark. For comparison, the background level in 2008 was 1Gbps, which should have risen a bit as more equipment was lit up since then. But it’s now trending way above that level all the time and Arbor Networks’ UK director of solutions architects, Darren Anstee said that many ISPs now rate-limit the protocol as a way of coping.
The bad news is that the Internet is choc with other protocols, many of which can be used as fuel to throw on to the DDoS bonfire, including SSDP (a growing problem), Chargen, DVMRP SNMP, as well as the pioneer, DNS. Any one of these was detected in attacks approaching or exceeding 100Gbps during 2014.