Verisign Study Reveals Decrease in DDOS Attacks in Q3 2017

Verisign Distribution Denial of Service Trends, observed attack trends of July – September, the third quarter of 2017. These trends include attack statistics, behavioural trends and future outlook. Compiled on the basis of observations and insights about attack frequency and size obtained from mitigations enacted on behalf of customers from Verisign DDOS Protection Services.

Verisign observed the following key trends in Q3 2017:

  • Number of attacks- 17% decrease compared to the second quarter of 2017 (“Q2 2017”) to Q3 2017
  • Peak attack size – (volume) 2.5 Gigabits per second (Gbps), (Speed) 2.3 Million packets per second (Mpps)
  • Average peak attack size- <1 Gbps ( 70% decrease compared to Q2 2017), 30% of attacks over 1 Gbps
  • Most common attack mitigated- 56% of attacks were User Datagram Protocol (UDP) floods; 88% of attacks employed multiple attack types

DDoS Attacks Decrease in Volume But Remain Unpredictable

When comparing Q3 2017 to Q2 2017, Verisign saw a 17 percent decrease in the number of attacks, and a 70 percent decrease in the peak size of the average attack. Attackers continue to launch repeated attacks against their targets. In fact, Verisign observed that 45 percent of customers who experienced DDoS attacks in Q3 2017 were targeted multiple times during the quarter. DDoS attacks remain unpredictable and vary widely in terms of speed and complexity.

Multi-Vector DDoS Attacks Remain the Norm

Eighty-eight percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multipleattack types. Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Today’s DDoS attacks require continuous monitoring to more efficiently tailor mitigation strategies.

Types of DDoS Attacks

UDP flood attacks dominated in Q3 2017, accounting for 56 percent of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), Character Generator Protocol (CHARGEN) and Simple Network Management Protocol (SNMP) reflective amplification attacks.

Largest Volumetric Attack and Highest Intensity Flood Attack

The largest volumetric DDoS attack observed by Verisign in Q3 2017 was a multi-vector attack that peaked at approximately 2.5 Gbps and around 1 Mpps for one hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods; DNS, ICMP and Chargenmplification attacks, and invalid packets. The different attack vectors required continuous monitoring and changing of countermeasures to effectively mitigate.

The highest intensity packet flood in the quarter, consisting of a TCP SYN and UDP floods mixed with invalid packets, peaked at approximately 2.3 Mpps and around 1 Gbps. That attack lasted approximately two and a half hours. 

Mitigations on Behalf of Verisign Customers by Industry for Q3 20172**

  • IT Services/Cloud/SaaS
  • 45% of mitigations
  • .76 Gbps remains the average attack size
  • Financial
  • 20% of mitigations

.63 Gbps remains the average attack size

  • Media and Entertainment content
  • 15% of mitigations
  • 38 Gbps remains the average attack size
  • Energy
  • 15% of mitigations
  • .52 Gbps average attack size
  • E-commerce and online advertising
  • 5% of mitigations
  • .61 Gbps remains the average attack size