Skip to content

Size DOESN'T Matter When It Comes To DDoS Attacks

The biggest DDoS attacks grab headlines, but impact matters more than size. Learn what defenders should really measure.

Since 2008, I have tracked the DDoS landscape as both a researcher and security professional. During this time, I have monitored hacktivists' use of DDoS as a protest tool during Operation Chanology, helped protect targets during Operation Avenge Assange, countered the Al Qassam Cyber Fighters during Operation Ababil, and defended organizations against NoName057(16).

Throughout these 18 years, one trend has remained constant: both the frequency and magnitude of attacks have increased steadily.

And vendors have always stepped in to remind us of these ever-increasing numbers. It's even become a bit of an "arms race" to see who can beat the others to be the current record holder. I've even played this game a bit.

Why the Size Hype?

But have you ever thought about why DDoS mitigation vendors constantly talk about attack size?

There are several reasons for this. The first is that DDoS attacks are largely hidden from public view. DDoS attacks happen literally every hour of every day, targeting organizations of all sizes across every industry. The vast majority are mitigated so quickly and efficiently that they never cause a noticeable impact. The attackers simply move on to a different target, and most victims never even realize an attack occurred. Because these attacks rarely make headlines, the general public has little visibility into how frequently they occur.

The second reason is that DDoS is, for the most part, not particularly exciting from a technical standpoint. Occasionally, a new technique or attack platform will emerge and capture our attention, but most developments in DDoS attacks are incremental. These gradual evolutions are typically defeated by the same well-established countermeasures that the industry has relied on for the past three decades: mitigation appliances, CDNs, ISP clean pipes, routed mitigation services, and remotely-triggered black holes. In other words, while attackers may refine their approach, the fundamentals of how DDoS attacks are carried out and defended against have remained largely unchanged over time.

The final reason for the focus on attack magnitude is that media coverage and news cycles prioritize records and milestones. Reporting on foundational security improvements, such as updating compromised routers, securing DNS servers to prevent amplification attacks, or implementing firewall rules to block memcached traffic, lacks the dramatic appeal needed for headlines. These essential maintenance tasks, while critical to network resilience, generate little media attention. As a result, the only aspect that captures newsworthy interest is the pursuit of new records in attack size and scale, driving both attacker motivation and public perception of DDoS threats.

Attack Size Doesn't Matter

But the truth is that for the most part, the size of DDoS attacks doesn't matter.

Over capacity is over capacity, and attackers don't have to send large attacks. It doesn't matter whether you receive 1 Mbps or 1 Tbps over your capacity; you'll still experience an outage. You don't have a way to measure the size of an attack that exceeds your capacity.

Smart attackers who have put in the work to build a large attack platform also know that when they use any of their nodes in an attack, a percentage of those nodes will get cleaned up by the network owner. The larger the attack, the more nodes will get cleaned up. It is to their advantage to use as few resources as possible to achieve their goal. Smart attackers combine smaller attack sizes, attack-load distribution, and target-availability monitoring to conserve their resources.

Large attacks are sometimes indirectly caused by mitigation providers. When a determined attacker sees that they have failed to disrupt the service because a mitigation provider is protecting the target, they will change their attack. This could be a different target, a different technique, or an increase in the number of attacking nodes or bandwidth per node.

The maximum attack size typically peaks at an incredibly short duration of 60 seconds or less. Most DDoS monitoring tools don't capture this maximum attack size because their sampling period is too long. The average or sustained rate is much smaller. Peaks can also be caused by a lag in the sending network or the monitoring tool.

And lastly, the size of an attack can be gamed, embellished, or faked. Nobody else can measure an attack against the major mitigation providers, especially during peaks. Incoming attack traffic can be measured in bits per second, packets per second, or application requests per second. If your platform is a CDN, you can measure the attack in the size of HTTP response objects, which are thousands of times bigger than the incoming attack traffic.

The Size of Attacks Does Matter, Sometimes

However, the size of attacks can't be completely ignored. Beyond the hype, size does matter in a handful of ways for defenders.

Only a select group of mitigation vendors, primarily content delivery networks (CDNs) and routed mitigation providers, possess the extensive network capacity required to absorb and neutralize these massive, large-scale attacks. In contrast, other providers that lack this level of infrastructure must rely on alternative defensive techniques, such as blackholing, to protect their networks and their customers from being overwhelmed during an attack.

Routed mitigation providers carefully monitor the size of current attacks when planning and scaling their network capacity. Ideally, they aim to maintain a capacity that is 3-4x greater than the largest observed attack. This sizing ensures they can simultaneously mitigate multiple large-scale attacks without any localized impact on their customers. Without this level of headroom, even a single record-breaking attack could strain resources and compromise the quality of protection delivered to those relying on their infrastructure.

When an attack platform grows to a size approaching the current record, it draws significant attention and becomes the focus of coordinated working groups. These groups typically consist of law enforcement agencies, DDoS mitigation vendors, large infrastructure and cloud providers, and independent security researchers. Working collaboratively, these groups focus on dismantling the platform through a range of actions, including disabling the underlying infrastructure, seizing associated domains, and pursuing legal action against those responsible for its creation and operation. This collective response helps ensure that record-breaking attack platforms are identified and neutralized before they can cause widespread damage.

While DDoS attack sizes continue to reach intimidating new heights, security teams must separate the hype from the reality. Sensational headlines often obscure the fact that the fundamental DDoS defense strategies remain highly effective. Rather than focusing solely on the scale and magnitude of these record-breaking attacks, network and security operations teams should deploy layered mitigation technologies and monitor their networks to detect attacks early, so they can be mitigated before they reach record sizes.

By mastering these core principles, organizations can confidently protect the availability of their networks, services, and applications, regardless of how large the next headline-making attack might be.

HOU.SEC.CON CTA

Latest