As more groups get into the denial-of-service attack business they're starting to get in each other's way, according to a report released this morning.
That translates into a smaller average attack size, said Martin McKeay, senior security advocate at Cambridge, Mass.-based Akamai Technologies Inc.
There are only so many devices around that have the kind of vulnerabilities that make them potential targets for a botnet.
"And other people can come in and take over the device, and take those resources to feed their own botnet," he said. "I'm seeing that over and over."
He said that Akamai is seeing evidence of the contention in the threat intelligence it gathers, as well as in the size of the attacks.
The median attack size has been decreasing over the last year and a half, he said.
At the start of 2015, the median DDoS attack size was 4 gigabits per second, and it went down to just over 500 megabits per second during the first quarter of this year.
The number of very large attacks has also gone down over the past year, from 19 attacks greater than 100 gigabits per second over the course of the first quarter of 2016, to just two attacks of that size during the first quarter of this year.
That could be due to the fact that several large DDoS crews were arrested at the end of last year.
"Because of the high publicity of some of these attacks, we have Interpol and U.S. government agencies going after the owners and authors of those botnets," McKeay said. "Those people are getting jailed, and that portion of the attack traffic goes away."
But that doesn't mean that companies can get complacent about their defenses, since other groups may step in to take their place.
"DDoS in general is a cyclic phenomenon," he said. "About three years ago, it really took off and we saw a big increase. It's been trending down for about a year but we suspect that that's just a temporary change, and it's going to start back up again."
Meanwhile, even smaller-sized attacks can still do a great deal of damage. According to the Akamai report, many businesses lease Internet uplinks of between 1 and 10 gigabits per second, so any attack bigger than 10 gigabits per second could take an unprotected business offline.
And the capabilities of attackers keep expanding, he added.
"Within two to three years, we might see a five to ten terabit attack," he said.
With more criminal groups competing for access to vulnerable devices for their botnets, does that mean that we might see less ransomware such as the WannaCry attack?
No such luck.
"It's a different group of resources that are being used," said McKeay. "When we're talking about the ransomware like that which we've been seeing since Friday, that's a completely different breed than DDoS."
Sign up for Computerworld eNewsletters.