Security Predictions for 2015: #2 – A New DDoS Amplification Attack Will Emerge
Over the past two years, cybercriminals and other mischief-makers have exploited DNS and NTP servers to amplify the size of their DDoS attacks. With DNS and NTP amplification attacks, an attacker spoofs, or impersonates, the attack target and sends a small request to a reflector, which is a server that replies with a much larger response to the victim, flooding the victim’s network.
DNS amplification attacks can increase the size of DDoS attacks by up to 54 times, while NTP amplification attacks can magnify DDoS onslaughts by a factor of 556 times. But DNS and NTP are not the only culprits of amplification attacks. Attackers can also leverage SNMP, NetBIOS, and other protocols to launch amplification attacks. Attackers have even exploited WordPress applications to carry out large-scale DDoS assaults.
Amplification has contributed to the escalating size of DDoS attacks. Between 2011 and 2013, DDoS attacks grew in average size from 4.7 to 10.0 Gbps[i]. But the real story has been the increase in the average packets per second for typical DDoS attacks; in fact, DDoS attack rates have skyrocketed 1,850% percent to 7.8 Mpps between 2011 and 2013. Many of the largest DDoS attacks over the past two years have been amplification attacks.
We predict that in 2015, a new type of DDoS amplification attack will make headlines. While DNS and NTP amplification took the security world by storm in 2013 and 2014, attackers will uncover and exploit a yet unknown attack next year. Attackers continually investigate new attack vectors, as witnessed by the recent discovery of DVMRP-based reflection attacks. Disclosed by Team Cymru, Distance Vector Multicast Routing Protocol (DVMRP) reflection attacks have already been observed by service providers.
To protect against amplification attacks in 2015, organizations should deploy security equipment that can mitigate large-scale DDoS attacks.