Data centres now ‘magnets’ for DDoS attacks, says Arbor report

Data centres have become “magnets” for DDoS attacks with many recording a marked rise in incidents during 2013, Arbor Networks’ latest Worldwide Infrastructure Security Report has found. 

During the year, the number of data centres experiencing DDoS attacks rose to 70 percent from less than half in 2012, the firm discovered from a customer survey backed up by trend data from its own Atlas global monitoring system.

Importantly, 26 percent said that DDoS attacks had exceeded the total data centre bandwidth, around double the number experiencing the same in the previous year. Ten percent had seen more than 100 attacks per month.

Standing back a bit and this shift to focus on data centres appears to be part of a trend to attack customers indirectly by attempting to overload their service providers. Eighty-three percent of data centre operators said they could see attacks up to layer 3 or 4 with only 23 percent able to see as far as layer 7.

As an aside, Arbor also noticed a tendency to rely on firewalls (56 percent) and IDS/IPS systems (42 percent) to battle DDoS attacks, probably by closing ports or filtering certain types of traffic. This s a drastic response although it might work on some occasions; it also stops useful applications from working at all, in effect killing service.

But DDoS mitigation firms have a vested interest in drawing attention to these limitations because they can be one way of getting around the need to use more sophisticated services.

It was less of a surprise that DDoS attacks sizes reached new peaks during 2013, including the notorious Spamhaus reflection attack that peaked at 309Gbps. Attacks above 100Gbps are now well documented, Arbor said, including those targeting specific parts of Internet infrastructure such as the open DNS servers that turned Spamhaus into a household name.

It is curious that amplification/reflection attacks should have continued to rise despite what happened to Spamhaus. “People became aware that there is a lot of infrastructure out there to do this. Spamhaus gave them the knowledge,” suggested Arbor EMEA solutions architect, Darren Anstee. SSL was another infrastructure target, he said.

“From the ISP to the enterprise, IT and security teams are facing a dynamic threat landscape and very skilled and patient adversaries,” said Arbor president, Matthew Moynahan. “There is no single, magic bullet solution and it is a mistake to think technology alone can secure a network. Multi-layered defenses are clearly needed, but so is a commitment to best practices for people and process.”

Disappointingly, Arbor devotes almost no space to the nature of the motivations behind DDoS. These will include low-level criminal enterprises and extortion through political activism. The larger unknown is the extent to which nation states are now conducting DDoS attacks as part of economic and political war. Thus far, vendors seem determined not to be drawn into speculating on this theme.