Distributed denial-of-service (DDoS) attack activity in Australia is shorter in duration, but still just as dangerous, according to DDoS and advanced threat protection company, Arbor Networks. In its latest Q1 DDoS attack report, it claimed that the average attack length was 22 minutes in Australia, compared to 46 minutes in Asia-Pacific.
The report, gathered through its global threat intelligence system, Atlas, is a compilation of anonymous traffic data results from Arbor Networks’ 330 service provider customers.
Arbor Networks Australia country manager, Nick Race, said short bursts of DDoS attack activity require automated defences to protect against them.
“On-premise DDoS protection is essential for both detection and mitigation of attacks, enabling bad traffic to be scrubbed in an immediate and automated fashion. Additionally, integrating that on-premises protection to the Cloud is also critical,” he said.
The findings also indicated a dramatic increase in DDoS attack size and activity in Australia. The average size attack in Q1 2015 was 1.25Gbps, which is about twice as big as the average attack in Asia-Pacific.
According to Arbor Networks, the majority of these very large attacks leverage a reflection amplification technique using the Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and DNS servers, with large numbers of significant attacks being detected all around the world.
Reflection amplification is a technique that allows an attacker to both magnify the amount of traffic they can generate, and obfuscate the original sources of that attack traffic. In Australia, SSDP tops the list of reflection attacks in Q1 with the largest SSDP attack reported at 26Gbps; the largest NTP reflection attack was 51Gbps.
The company added that this technique relies on two unfortunate realities – firstly, around a half of service providers do not implement filters at the edge of their network to block traffic with a forged source IP address.
The other, is that there are plenty of poorly configured and poorly protected devices on the Internet providing UDP services that offer an amplification factor between a query sent to them and the response which is generated.