Report: DDoS attacks growing more complex, larger

Distributed denial of service, or DDoS, attacks are getting more complex, with nearly two-thirds involving multiple kinds of attack traffic, according to new figures.
Getty Images

Distributed denial of service attacks — long serving as the weapon of choice for low-skill hackers — are getting more complex, with nearly two-thirds involving multiple kinds of attack traffic, according to new figures.

The figures, from Internet infrastructure giant Verisign, cover the second quarter of 2016. They show that DDoS attacks also continue to grow in size. The average peak size of all the attacks experienced by Verisign customers during Q2 was 17.37 Gigabytes per second.

Although that’s down very slightly from Q1 (19.37 Gbps), it’s more than triple the average peak for Q2 last year (5.53 Gbps).

The largest attack the company mitigated during the quarter peaked at more than 250 Gbps, the report states.


But it’s the growth in the complexity of the attacks that’s more attention-grabbing.


Nearly two-thirds of DDoS attacks used more than one form of attack traffic. Source: Verisign

DDoS attacks flood their targets with fake traffic, overwhelming websites so legitimate visitors can’t get access, or bombarding other public-facing infrastructure.

Just over a third of attacks in Q2, 36 percent of them, used a single form of attack traffic. Nearly as many, 29 percent, used two kinds; 19 percent three; 7 percent four; and 9 percent used five or more different kinds.

User Datagram Protocol (UDP) floods continued to be the most common form of attack traffic in Q2, being used in 56 percent of DDoS experienced by Verisign customers. The next most common form of attack traffic was Transmission Control Protocol (TCP) requests — which featured in 18 percent.


But Verisign says one of the most troubling tactics is the growing use of application layer, or layer seven, attacks. The application layer is the part of the stack that communicates directly with the end user and attackers typically use HTTP requests, making them hard to distinguish from genuine traffic.

“Application layer attacks … are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify,” states the report.

Since these attacks can include SQL injection, which sends nefarious instructions to web databases, they can be used to steal information and are often accompanied by much larger UDP or TCP floods, which act as a distraction, pulling company managers’ attention away from the real attack.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts