The average attack bandwidth seen by Prolexic during the first quarter of 2013 was of 48.25 Gbps, an eightfold increase over the last quarter of 2012, when attack bandwidth averaged at 5.9Gbps.
The size of a high-profile attack last month against a spam-fighting organization called Spamhaus that was reported to have peaked at over 300Gbps, making it the largest in history, was grossly overestimated, Prolexic said in its report. However, Prolexic did mitigate a 130Gbps attack in March, it said.
About 25 percent of attacks against Prolexic's customers during the first three months of 2013 were modest and had an average bandwidth of under 1Gbps. However, 11 percent had an average bandwidth of more than 60Gbps, suggesting that attackers are becoming more organized and better equipped to launch large-scale attacks, the company said.
Such large-volume attacks are achieved with the help of botnets composed of compromised Web servers instead of PCs. Once compromised, these servers are controlled via rogue PHP scripts. This is the same method that has been used by a group called Izz ad-Din al-Qassam Cyber Fighters to attack U.S. financial institutions.
It's not just the bandwidth of attacks that increased, but also their packet-per-second (pps) rates, which averaged at 32.4 million pps during the first quarter of the year, Prolexic said.
While a large attack bandwidth might overload a target's Internet uplink, leaving it unable to handle other legitimate traffic, a high packet-per-second rate can create problems for the routing and other networking equipment of ISPs, carriers and even DDOS mitigation providers.
"Most mitigation equipment tends to be limited by pps capacity, not Gbps," Prolexic said. "But it's not just mitigation equipment that struggles against these high pps attacks. Even routers that carry traffic to the mitigation gear have trouble with packet rates at this level. As a result, we are entering a situation where simply moving such a large amount of attack traffic to a scrubbing center can be problematic," the company said.
The number of DDOS attacks in Q1 2013 increased by 1.75 percent over the last quarter of 2012 and by 21.75 percent over the same period of last year. Attacks targeting the infrastructure layer represented more than a third of all attacks observed during the first three months of the year, a rise of 3.65 percent over the previous quarter.
"What defined this quarter was an increase in the targeting of Internet Service Provider (ISP) and carrier router infrastructures," Prolexic said.
The top source country for DDOS attacks in Q1 2013 was China, which accounted for 40.68 of botnet sourced activity and was followed by the U.S. at 21.88 percent, Germany at 10.59 percent and, surprisingly, Iran with 5.51 percent.
"Prolexic has seen a steady pattern of country-sourced botnet traffic across many quarters," the company said. "Iran, though, has not been included in the top 10 source countries before. It is expected that countries with the largest network infrastructures would have more incidents of botnet infection, so the appearance of Iran at number four definitely stands out."
This is the second quarter in a row when Russia, which historically has been an active region for DDOS attacks, did not make it into the top 10 DDOS source countries. However, there was an increase of DDOS traffic originating from Brazil, which validates the steady increase of botnet activity in South America, Prolexic said.