Attackers use distributed denial of service (DDoS) attacks to disrupt websites by bombarding them with traffic from multiple sources, resulting in online service becoming unavailable for a period of time. As a tool of distraction and frustration, DDoS has been with the Internet almost since its inception and during 2014 it saw a lot of use.

It is known that DDoS can be organized not only to incapacitate online services or for ransom but also to mask other cybercriminal activities such as targeted attacks on the company to gain access to its confidential data.

The use of DDoS during 2014 has brought a lot of attention to the power that it puts in the hands of Internet mayhem groups–such as Lizard Squad and DerpTrolling. The power to disrupt the lives of millions of customers (for example the Christmas Day attacks against PlayStation Network and Xbox LIVE) and to cost companies potentially thousands or millions of dollars.

One thing is certain: DDoS attacks are not going away and we can expect them to get smarter in 2015. However, while predicting the future of DDoS is difficult, here’s a look back at what happened in DDoS in 2014.

2014 DDoS attack highlights

While it looks like the overall size of attacks during 2014 have fallen the number of targets is still quite impressive. The bandwidth used by DDoS attacks has increased year over year. In 2014, Symantec observed the first attack to peak at 400 Gbps, whereas in 2013 the maximum reached was at 300 Gbps.

The State of the Internet revealed total number of DDoS attacks from July to October (Q3) increased by 22 per cent compared to the same period last year. Besides the increased frequency, the average attack bandwidth has also grown by 389 per cent from last year, and 80 per cent compared to the last quarter. Asia accounted for more than a third of the global DDoS attack traffic with 36 per cent share in 2014.

Incapsula worked with 270 companies from different industry verticals and found that 49% of DDoS attacks lasted between 6-24 hours in 2014. This means that with an estimated cost of $40,000 per hour, the average DDoS cost can be assessed at about $500,000—with some running significantly higher. Costs are not limited to the IT group; they also have a large impact on units such as security and risk management, customer service, and sales.

The first half of 2014 witnessed the most volumetric DDoS attacks on record. According to the Q2 ATLAS report released by Arbor Networks, the number of DDoS events reaching over 20Gbps in comparison to 2013 has been doubled in Q1 of 2014, and over 100 events at 100Gbps have been recorded this year.

In the first half of the year, the most volumetric DDoS attacks on record were recorded, with more than 100 events over 100GB/sec reported. During the mid of the year, DDoS attacks reached 20GB/sec in comparison. The largest reported attack in Q2 was 154.69GB/sec, and the NTP reflection attack was launched against a Spanish target.

The second quarter of 2014 had several massive attacks that skewed the data somewhat and led to an average attack size of 12.42G bps. Verisign reported the average attack size was 4.60G bps.

The largest DDoS attack observed during the 2014 Q3 period was 15.2 Gps on September 3, a marked decline from previous peaks. The DDoS attackers used a technique known as NTP amplification, where a packet is sent to a Network Time Protocol (NTP) service, which responds with a larger packet; that response is sent to the victim because the attacker has forged the source the NTP server should respond to. This would amplify attacks significantly, especially if the attacker could hit multiple vulnerable NTP services at once.

Top DDoS attack and trends in 2014

According to the Black Lotus Q3 2014 Threat Report, hackers are getting smarter not harder. This was also significant because very few companies or organizations have the necessary network infrastructure to deal with such attacks. There might be some companies with popular websites such as Google or Facebook that are able to handle such high-bandwidth floods, but most companies are not equipped with technology to handle such attacks. This is better for smaller networks that lack the heavy-duty networking equipment to mitigate massive network floods.

Technology market research firm Infonetics Research released its DDoS Prevention Appliances report that found that DDoS mitigation hardware outperformed the network and content security product markets significantly through the first three quarters of 2014 as large enterprises and service providers looked to protect their networks from ever-larger and more sophisticated attacks and attackers who are even starting to use DDoS attacks as a smokescreen for other infiltrations.

As per the report, the worldwide revenue for DDoS prevention appliances reached $110 million in 3Q14, while the mobile segment of the DDoS prevention hardware market is forecast to grow at a healthy 26% compound annual growth rate (CAGR) from 2013 to 2018. Last year, the DDoS prevention appliance revenue market share leaders were Arbor Networks, GenieNRM, and Radware.

Gaming sites have historically been vulnerable to DDoS attack. In August, Sony PlayStation Network, Microsoft’s Xbox Live, Blizzard’s Battle.net, and Grinding Gears Games reported massive network disruptions caused by large scale DDoS attacks. The PSN service attacks appear to be perpetrated by a hacker who goes by the Twitter moniker @Famedgod and another group known as @LizardSquad. Both users have claimed credit for attacks. The popular science fiction game EVE Online also staggered under an attack that took it offline for more than 12 hours.

PSN and Xbox Live both again came under a denial-of-service attack on Christmas Day. The group, Lizard Squad mentioned above, was briefly placated during the attack after receiving Megaprivacy vouchers from Mega founder Kim Dotcom.

In September, Destiny, a science fiction shooter from Bungie, Inc., and Call of Duty: Ghosts, most recent installation of a very popular series, both suffered massive DDoS attacks knocking the games offline over a weekend. The attacks were credited to a hacker group known from Twitter calling themselves The Lizard Squad who managed to knock servers for both games offline on both PlayStation Network (PSN) and Xbox LIVE.

British spy agency GCHQ in February launched a secret war against the infamous hacktivist collective Anonymous and a splinter group known as LulzSec several years ago. GCHQ carried out seemingly illegal DDoS attacks against the collective, flooding their chatrooms with so much traffic that they would become inaccessible – and all with the approval of the British government.

The news aggregator Feedly and the digital workspace Evernote came under a distributed denial of service attack from cyber criminals in June. As is the nature of DDoS attacks, there was no data loss, and no accounts were compromised. In the same month, the genealogy website Ancestry.com was hit by a DDoS attack. The attack also impacted Ancestry.com’s sister site Find a Grave.

The Bitcoin community saw DDoS attacks in 2014 as well, with the Silk Road 2.0 site being struck in September. The online forum Bitcointalk.org went offline in November due to a DDoS attack. Bitcoin exchange, BTC-e also reported a DDoS attack against their trading server in April.

All these attacks highlight the need for more advanced DDoS protection capabilities other than the standard defenses of over-provisioning of bandwidth and on-premise mitigation devices, which are rendered ineffective the moment a DDoS attack exceeds an organization’s upstream bandwidth, or their Internet service provider’s capacity.

The frequency of very large attacks continues to be an issue, and organizations should take an integrated, multi-layered approach to protection. Even organizations with significant amounts of Internet connectivity can now see that capacity exhausted relatively easily by the attacks that are going on out there.

It is critical in 2015 that enterprise defenses continue to keep pace with the changing DDoS threat. In addition to increasing vigilance and knowledge, enterprises should also validate services from any mitigation providers they have retained to ensure the latest threats can be blocked quickly and effectively.