According to Verisign Distributed Denial of Service Trends of January – March, Q1 2018, the number of attacks has increased 53% when compared to Q4 2017 (October 1, 2017 – December 31, 2017). Also, the peak attack size (volume) has increased to 70 Gigabits per second (Gbps) with a speed of 7.4 million packets per second (Mpps). Average peak attack size – 11.2 Gbps which is 47% increase compared to Q4 2017, but a 21% Y-o-Y decrease compared to Q4 2017, 39% of attacks over 5 Gbps. Most common attack mitigated – 50% of attacks were User Datagram Protocol (UDP) floods; 58% of attacks employed multiple attack types with 32% of attacks employing four or more attack types.
Verisign observed a 53% increase in the number of attacks in Q1 2018 compared to Q4 2017 and a 47% increase in the average of attack peak sizes. From Q1 2017 to Q1 2018, Verisign observed a Y-o-Y decrease of 21% in the average of attack peak sizes. Verisign additionally observed that 67% of customers who experienced DDoS attacks in Q1 2018 were targeted multiple times during the quarter. Overall, DDoS attacks remain unpredictable and vary widely in terms of speed and complexity.
58% of DDoS attacks mitigated by Verisign in Q1 2018 employed multiple attack types. Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Today’s DDoS attacks require continuous monitoring to optimize mitigation strategies.
Continuing the trend, UDP flood attacks were the most common attack vector accounting for 50% of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Lightweight Directory Access Protocol (LDAP), Simple Network Management Protocol (SNMP) and Memcached reflective amplification attacks.
The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2018 was a multi-vector attack that peaked at approximately 70 Gbps and over 7 Mpps. This attack sent a flood of traffic to the targeted network for about an hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods, DNS amplification attacks, Internet Control Message Protocol (ICMP) floods and invalid packets.