“More attacks, more ferocity, new code, and old exploits taking advantage of old vulnerabilities to create new havoc.” That’s how Joe Loveless, Neustar Director of Product Marketing, described the state of DDoS attacks in 2016. And when asked for his perspective on what’s to come, Loveless said, “More of the same. 2017 looks to deliver significantly stronger and significantly more dangerous attacks; so be prepared.”

Loveless cites Neustar’s newly released DDoS & Cybersecurity Insights Report, which found a 200% increase of direct customer mitigations from 2015. But the real danger is reflected in platform activity that took on large Mirai-type of attacks. “Neustar mitigated a mixed bag of threats this year, massive attacks and smaller, determined attacks, the latter proving that attackers have many different objectives.”

Neustar’s DDoS Security Operations Report examines the DDoS attacks that Neustar mitigated in 2016, and offers a bit of a glimpse into what future attacks will look like in 2017. The report goes into great detail to highlight some of the attack vectors and combinations that were used in an attempt to penetrate Neustar’s DDoS defenses.

Here’s a sampling of what Neustar saw, by attack vector:

TCP SYN:  A steady and significant rise in these attacks, especially in multi-vector assaults. The danger of these attacks is revealed not in brute size, but in packets per second. And since they often offer a false appearance of legitimate traffic, TCP SYN may often be seen in concert with other malicious activities, like malware activation.

DNS: DNS-based attacks soared in 2016 in part because attackers made more use of DNSSEC to generate massive amplification resulting in high rates of packet fragmentation. DNS offers attackers with a relatively easy and practical means to ramp up large attacks. DNS continues to show up in multi-vector attacks given the volumetric pressure they can bring.

UDP: UDP volumetric attacks are a primary form of attack and Neustar mitigations of UDP-based assaults increased notably over 2015. On a downward trend early, by mid-year, the pace picked up. Since UDP attacks can quickly overwhelm and challenge unsuspecting defenses, they frequently serve as a smokescreen for other malicious activities.

ICMP:  Neustar protected customers from a large increase in ICMP attacks. Many of these attacks were encountered in multi-vector efforts that leveraged DNSSEC. ICMP are easy to build and launch, but it’s their volumetric value in multi-vector attacks that can create serious challenges to targeted organizations if not quickly arrested.

SSDP: The downward trend of pure SSDP mitigations – which were first signaled in 2015 - continue in a steep decline through 2016. Better ISP defenses and more attention to patch management disciplines by organizations have helped stay the once-great onslaught of these attacks.

NTP:  Neustar continues to see and mitigate NTP-based attacks. It is notable, however, that despite showing up in a fraction of all multi-vector attacks, nearly all NTP attacks mitigated were part of multi-vector strikes.

The report also provides an update on Neustar’s study of DNSSEC, analysis of data related to IoT botnets and Mirai-type based assaults, and predictions for 2017. “Mirai was a seismic shift in 2016 and will change much of how attacks are launched, but it merely adds to an already dangerous landscape of conventional attacks that show no sign of slowing,” said Loveless.

In its global research of more than 2000 organizations in 2016, 73%  of respondents experienced a DDoS attack in the previous twelve months. Worse, nearly half of those attacked reported some form of breach and theft conducted in concert with the DDoS attack.

The lesson from 2016 is that attackers are more determined and better armed. If next year does indeed follow the trend set forth by 2016, then Loveless’s insight will ring true – be prepared. Always be prepared.