Link11 DDoS report Q1 2018: The Threat Takes on a New Dimension

Adobe Stock: 139166193

Reflection amplification attacks and the resulting DDoS tsunamis aggravated the already high DDoS threat situation in the first quarter of 2018. The attacks also grew in frequency as well as complexity.

In the first quarter of 2018, the Link11 Security Operation Center (LSOC) recorded a 10% increase in attacks compared with the preceding quarter. From January to March, 14,736 attacks were launched on Link11 customers. This meant an average of 160 attacks per day, which affected the hosting/IT, gaming, retail, e-commerce, logistics, media, and finance industries. In 12 attacks, the attack volume exceeded 100 Gbps.

Marc Wilczek, Managing Director of Link11: "The high-volume vectors mark a new era in IT security. When it comes to DDoS protection we need to start thinking in new dimensions, where there are no limits to attack volumes and no limits on the protection of vast corporate multicloud structures."

Memcached reflection and SSDP reflection attack volumes on the rise

The LSOC identified two key vectors that were responsible for the large bandwidths. First, the attackers are using SSDP to inflate the bandwidths. In the first quarter, the share of SSDP attacks amounted to 27%, more than ever before. The second key attack method was memcached reflection, which had been unknown prior to the first quarter. The LSOC was one of the first IT security firms to register the initial memcached reflection attacks on the morning of February 25. Another 157 attacks of this type followed in the course of the first quarter.

Onur Cengiz, Head of the LSOC: "This new attack technique with memcached reflection seemed to come out of nowhere, though the weakness it exploited had been identified a long while back. There are many more such potential entry gates for DDoS attackers, and their threat potential may be as high as for memcached reflection.

More information is provided in the full Link11 DDoS report for Q1 2018. Current data on DDoS attacks, attempts, and numbers can be found in the Link11 DDoS blog.