Does anyone still care about the size of DDoS attacks? Ever since Spamhaus was on the receiving end of an infamous 300Gbps DNS reflection attack in March 2013, numbers have been the story, preferably as big as possible to justify attention.
But DDoS haven’t exploded in size since then, far from it. By and large, more modest DDoS attacks have migrated to small, less protected networks as larger datacentres have bought bigger sinkholes. Cybercriminals have run through as many protocols as they can find in an effort to boost size using reflection storms.
Only days ago on 14 June, Imperva’s anti-DDoS wing Incapsula recorded a maximum 470Gbps “brute of an assault” designed to bring down a Chinese gambling firm. The first and biggest wave lasted four hours but was followed by others over several days.
Superficially, this looks smaller than the New Year’s eve attack on the BBC iPlayer site, claimed to have reached 600Gbps, although that number has never been confirmed and many doubt it without hard evidence. Only days that, Arbor Networks reported a more reliable attack number of 500Gbps dating back to an incident in 2015.
If that is the largest DDoS ever reported publically, the recent Imperva attack pushes it close for the crown of being the biggest and baddest. The Imperva attack also had the unusual feature that the attackers deployed nine different packet types, starting with a SYN flood before trying old-fashioned UDP and TCP.
Imperva, of course, is only telling us all this because it successfully mitigated the attack, which is probably the real story. Attackers are still occasionally trying massive attacks but mitigation is often up to the challenge. This probably merely displaces attacks elsewhere, on to softer targets for which even a small DDoS spells trouble.
Big DDoS attacks will continue to happen from time to time but it’s a mistake to get too caught up in numbers. Size really isn’t everything, even on the Internet. What matters now is the frequency of attacks and the costs of mitigating them. An entire industry is being built on this realisation.
It is worth reading our case study of a German payment services firm that was also recently threatened with a much smaller DDoS and decided to come clean about it before anything happened. The attackers were probably bluffing (another trend in DDoS not always commented on). This is closer to the reality of DDoS’s effect on the world than the rare big-packet events.
If super-massive DDoS attacks are like a multi-car crash pile-up, most network and website owners experience unwanted traffic as an expensive body scrape.