The average size of DDoS attacks has grown exponentially over the years. While a 10Mbps flood can be enough to bring down most home (DSL and cable) users, data centers and, especially, providers specializing in DDoS protection services, are seeing attacks from 40Gbps to 400Gbps. The increase in attack intensity over the last couple years can only be owing to the new amplification attack vectors that have become fairly widespread. As someone who keeps an eye on day-to-day attacks at QuadraNet, I can positively confirm that it’s been a very long time since I’ve seen an ICMP flood, which used to be one of the primary attack vectors many years ago. In this day and age, it’s rare for an attack to not utilize one of the several amplification attack vectors that have become popular.
As IPv6 inevitably gains in popularity, we can expect to see a growing number of attacks levelled over the v6 protocol. One major concern with IPv6 is the sheer number of addresses available in a 64-bit address block. Attacks aimed at a large amount of diverse IP space under a single router, for instance, have the potential to create a huge “neighbor cache” list in the router and utilize an immense amount of CPU and memory. This is especially troublesome for routing done on the software level. While this is just an example (Cisco has an interface-limit to mitigate the impact of this specific case), we shouldn’t be surprised to see attacks of a similar nature in the coming months.
This is part 3 of a 3-part series on DDoS attacks in 2014 and how you can help prevent them.