DDoS attacks have doubled in six months, up 91% on first quarter

IoT devices in the dock as DDoS stages a resurgence, but stealth and sophistication also on the rise.

Businesses are being hammered by an average of eight DDoS attack attempts per day, an increase of 35 percent compared to Q2 2017, and a massive 91 percent increase over Q1 2017, according to new figures.

The huge increase in volume is partly due to the prevalence of DDoS services online, often marketed as ‘Booters’ ‘Stressers’ and similar tools, as well as the volume of easily-compromised IoT devices, according to the researchers from Correro. One example being the Reaper botnet, which has allegedly compromised more than one million organisations all across the globe, and has been described as “more sophisticated” than Mirai and “the next cyber-hurricane”.

Russ Madley, head of VSMB & channel, Kaspersky Lab UK said: “While DDoS attacks have been a threat for many years, it’s still important that businesses take them seriously as they are one of the most popular weapons in a cyber-criminal’s arsenal. A DDoS attack can be just as damaging to a business as any other cyber-crime, especially if used as part of a bigger targeted attack. The ramifications can be far-reaching as they’re able to reach deep into a company’s internal systems. Organisations must understand that protection of the IT infrastructure requires a comprehensive approach and continuous monitoring, regardless of the company’s size or sphere of activity.”

Unfortunately, while the sheer volume and scale of attacks has risen, their sophistication has too, with fifth of the DDoS attack attempts recorded during Q2 2017 deploying multiple attack vectors to pick apart victim’s defences. The researchers also pointed out that many less sophisticated DDoS attacks are designed to be a distraction and delaying tactic to tie up internal security experts and resources while a more subtle incursion is under way elsewhere.

Stephanie Weagle, VP, Corero Network Security warned that: “Sophisticated multi-vector DDoS attacks are becoming the new normal, with the potential to knock organisations of all types and sizes offline. Often lasting just a few minutes, these quick-fire attacks can be used as a smokescreen, designed not to outright deny service but to distract from an alternative motive, usually data theft and network infiltration. In order to effectively meet the challenge of this rapidly evolving threat landscape, organisations need to adopt modern DDoS defences that will provide both instantaneous visibility into DDoS events, real-time mitigation as well as long-term trend analysis to identify adaptations in the DDoS landscape.”

Source: https://www.scmagazineuk.com/ddos-attacks-have-doubled-in-six-months-up-91-on-first-quarter/article/709147/

  • 0

The Internet of Things could easily be the Internet of Threat

In more devices connecting and communicating to each other, we run the risk of one particular threat on the Internet – that of botnets.

The Internet of Things (IoT), unlike SMAC (Social Mobile Analytics Cloud), moved faster from being an industry buzzword to reality. However, what needs to be examined is whether businesses are prepared to fully leverage IoT.

The McKinsey Quarterly for March of 2010defined IoT as: “sensors and actuators embedded in physical objects—from roadways to pacemakers—are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet. These networks churn out huge volumes of data that flow to computers for analysis. When objects can both sense the environment and communicate, they become tools for understanding complexity and responding to it swiftly.”

Essentially, vast volumes of information that, primarily, is exchanged between devices. This has several benefits to organizations. One use case to emphasize this is predictive maintenance.

Machines enabled with sensors and connectivity give businesses real-time capability to measure production equipment, allowing for cost-effective approaches to maintenance that can improve both factory productivity and capacity utilization by avoiding breakdowns. In effect, businesses can now move to a model of predict and prevent from repair and replace.

Predictive maintenance and city-wide systems are just two use cases. There are several more that straddle retail environments, offices, and vehicles.

However, in more devices connecting and communicating to each other, we run the risk of one particular threat on the Internet – that of botnets. A botnet is a group of computers/devices connected in a coordinated fashion for malicious purposes; wherein each node within the botnet is referred to as a bot.

Botnets give rise to DDoS (Distributed Denial of Service) attacks much like the one in 2016 that affected ISPs in India, which was in the range of 200 gigabytes per second. At Akamai, we have successfully defended against DDoS attacks exceeding 620 Gbps. What’s important to focus on is not only the size of the attacks but the prevalence of them. In an age where IoT is supposed to be making things better, scope for equally nefarious applications of useful technology exist.

In India, IoT adoption is growing. According to a NASSCOM report titled IoT in India: The Next Big Wave, the IoT market in India is poised to reach USD 15 billion by 2020 accounting for nearly five percent of the total global market.

As the number of devices connecting with each other increases, so does the attack surface. India is already a prime target (and source of) web application attacks – according to data in our Second Quarter, 2017 State of the Internet / Security Report, India is 2nd in the list of countries in Asia Pacific that sourced the most web application attack traffic with close to 12,000,000 (12 Million) web application attacks attributed as originating from the country after China.

While this is a significant number, India also ranks 8th in the list of target countries for Web Application Attacks, globally.

The growth and use cases in IoT are not all for naught, however. While the threat looms, there are ways out. What’s required is awareness and standardization of processes. Threats and remedies to internet-based vulnerabilities are constantly evolving and at times depend on the individual capabilities within organizations. Going forward, there should be a constant exchange of information across organizations.

At a broad level, organizations do collaborate with CERT-In, the Indian Computer Emergency Response Team. While it’s truly positive to see that there’s increased information sharing between individual organizations and the government entity tasked with the Nation’s cybersecurity effort, what would be more impactful is when organizations come together, as a collective, to address the problem and arrive at approaches on how best to move forward, to safeguard their IP and their users.

Source: https://tech.economictimes.indiatimes.com/news/corporate/the-internet-of-things-could-easily-be-the-internet-of-threats/61671652

  • 0

Man charged for using vDOS hacker for hire against Minnesota firm

Federal prosecutors are charging John Kelsey Gammell, 46, with using hackers for hire to launch DDoS attacks against former employers and other companies.

Gammell has been charged with intentional damage to a protected computer and authorities say he made monthly payments between July 2015 and September 2016 to services like the now defunct vDOS platform along with others to launch periodic attacks and to bring down Washburn Computer Group in Monticello, Minn. according to court records.

Authorities say Gammell also used these services on at least half a dozen other companies as well.

Gammell’s attorney, Rachel Paulose argues that her client never personally attacked the company and that authorities instead should focus their efforts on the hackers for ihire.

“The government has failed to charge a single one of those ‘cyber hit men’ services, named and evidently well known to the government,” Paulose said according to the Star Tribune. “Instead the government’s neglect has allowed the professional cyber hit men for hire to skip off merrily into the night.”

Paulose added that the Washburn attacks were essentially a prank on a dormant site not doing business. If convicted Gammell could serve between 15 and 17 years in prison.

Source: https://www.scmagazine.com/man-faces-charges-in-hacking-for-hire-case/article/707035/

  • 0

DDoS attacks increasing once again

Major cyber assaults are seeing on the rise again, Kaspersky Lab report claims.

DDoS attacks are on the rise again as criminals turn to brute force attacks once more, new research has claimed.

The latest DDoS Intelligence report from Kaspersky Lab, covering the third quarter of 2017, says there has been an increase in the number of countries where resources have been targeted.

The number of attacks against gaming and new financial services has also grown.

Kaspersky Lab says resources in 98 countries were DDoSed this quarter, up from 86 the quarter before. Looking at the top ten countries in terms of number of targets, Russia is up from seventh to fourth place, while France and Germany pushed Australia and Italy out of the list.

The top 10 most popular host countries for botnet command servers include Italy and the UK, moving Canada and Germany out of the picture.

The share of Linux botnets is growing, and they are now accounting for 70 per cent of all attacks in Q3, up from 51 per cent in Q2.

The report also says cybercriminals are moving to more sophisticated attacks. It gives an example of the WireX botnet that spread via legitimate Android apps, or the Pulse Wave tech that increases the power of DDoS attacks through vulnearibilities in hybrid and cloud tech.

Kaspersky has also observed an increase in variety of targets.

“Entertainment and financial services – businesses that are critically dependent on their continuous availability to users – have always been a favourite target for DDoS attacks. For them, the downtime caused by an attack can result not only in significant financial losses but also reputational risks that could result in an exodus of customers to competitors,” says Kirill Ilganaev, Head of Kaspersky DDoS Protection at Kaspersky Lab.

“It’s not surprising that gaming services with multi-million turnovers attract the attention of criminals and that new types of financial sites have come under attack. What is surprising, however, is that many companies still don’t pay enough attention to professional protection against DDoS attacks. The recommended approach for these companies is to delegate protection from DDoS attacks to a reliable supplier with deep knowledge of cyberthreats and the methods of combating them, and to reassign the IT resources that are freed up to the development of the business.”

Source: https://www.itproportal.com/news/ddos-attacks-increasing-once-again/

  • 0

Why securing apps is key to securing an organisation’s future

Cyber security must be a top-level priority for all organisations given today’s threat landscape.

The Current Threat Landscape

According to the European Commission’s State of the Union, digital threats and cyber-crime are continuing to evolve at a rapid pace. Over the past few years, ransomware attacks have increased by 300%, and the impact of cyber-crime has risen fivefold since 2013. Unfortunately, the U.K has already been witness to these effects first hand. Just last year, a DDoS attack performed by bots took down a significant chunk of the internet – including leading websites such as Twitter, the Guardian, Netflix, Reddit and CNN.

The worst part? This wave of hacking doesn’t seem to be going anywhere—and it’s only getting stronger. Today’s hackers are quickly becoming smarter, tougher, and more creative, aided by access to high powered commodity computing power. This level of sophistication has been particularly obvious in the way DDoS attacks have been surfacing.

In the past, cyber criminals would orchestrate a brute force DDoS attack to cause as much damage as possible within a short period of time. Today, cyber criminals are achieving higher levels of success against organisations through more targeted and frequent attacks.

According to Neustar’s recent Global DDoS Attacks & Cyber Security Insights Report, 52 percent of brands that suffered a DDoS attack also reported a virus, while 35 percent reported malware, 21 percent reported ransomware and 18 percent reported lost customer data. Beyond that, 75 percent of respondents recorded multiple DDoS attacks following an initial assault on their brand’s network.

The Next Wave of Attack

Unfortunately, volumetric attacks only form part of today’s internet security challenge. With the evolution of technology and the mass expansion of the internet, today’s average web hacker has the ability to carry out various attacks with minimal effort through undetected vulnerabilities and security gaps.

This has been especially apparent as IoT devices expand, with 76% of organisations suffering a DDoS attack though their IoT connections in the past year. And while DDoS attacks continue to command great attention amongst IT and cybersecurity professionals, cyber criminals have quite literally and figuratively managed to slip through the cracks, resulting in web application layer threats that are equally, if not more, damaging than a typical DDoS attack.

Web application layer attacks, or ‘layer 7’ attacks as they’re often called, are a direct result of a hacker spotting a vulnerability in an existing program within an organisations web presence. These attacks, often led by ‘black hat hackers’ are more specific than DDoS attacks, with a precisely crafted approach to damage vulnerable software. Application attacks are also the most difficult attacks to detect and provide little to no advance warning before they create chaos on an organisation’s application.

Effects on the Future

These sort of intense web attacks not only have devastating effects on the businesses involved, but they could cost the global economy upwards of $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.

On a slightly smaller scale, with the upcoming implementation of GDPR, businesses across Europe risk losing not only sensitive consumer data, but millions of euros in non-compliance related fees. This is due to the fact that once GDPR is implemented, businesses have the responsibility to follow tightly constructed cybersecurity practices that require top-notch data security. If this isn’t done, those businesses could be liable for upwards of €20 million in fees, or 4% of their total net income, depending on the company. Either way, it’s an amount that can be completely detrimental to the future success of any company.

The upcoming GDPR standards have put an extra level of pressure on businesses everywhere, many of which are now scrambling to be compliant in time, as well as mitigating the threat of inevitable attacks on their network, including those directed at the web application layer.

It is encouraging though, that most businesses seem to have taken the initiative and are starting to invest in proactive defense technologies. So much so that just this past year, protection against application layer threats has increased significantly with Web Application Firewall (WAF) solution deployments nearly tripling among respondents.

Protecting Against Attacks

There are various tools to combat web application layer threats and DDoS attacks. These include anything from using including appliance hardware to cloud services and hybrid deployments. With that said, layered defenses are considered to be the most common form of defense against these sorts of attacks. In addition, sophisticated investments involving appliances, third-party services, and hybrid configurations that use a combination of hardware and cloud-based mitigation, have increased in the past few years. So much so that 65% of respondents in the Neustar report, reported having at least one of these solutions in place.


However, what is quite noticeable is the steady rise in Layer 7 protection. Over the past twelve months, industry experts have seen a huge spike in the deployment of web application firewalls, or WAF. Quite simply, a web application firewall protects users by filtering, monitoring, and blocking HTTP traffic to and from a web application.

This defence has proven so popular that organisations that have added WAF have nearly tripled in the past seven months and more than quadrupled from this time last year, according to the report. This rise has solidified the necessity in needing protection from what has quite rapidly become the most exploited layer in the network stack, especially relative to the vulnerabilities beyond DDoS alone.

Overall, as the threat landscape evolves and attackers continue to refine their capabilities, it’s extremely important that business’s make cyber security a top-level priority. By utilising a combination of defences, including the latest transformative services in line with traditional approaches, businesses have the opportunity to stay one step ahead of cyber criminals. Not only will this protect businesses from losing millions of euros and critical consumer data, but it will preserve consumer confidence—something that every business can benefit from.



  • 0

Unexplained cyberattacks sow chaos among dark web markets

A three-week long wave of cyberattacks against several popular dark web marketplaces has left the notorious underground e-commerce economy drenched in uncertainty and wondering if, like earlier this year, this is a prelude another round of arrests.

Just two months after police brought down a slew of the most well-known dark web markets, those left standing can’t quite figure out — nor defeat — who has been behind a three-week long denial-of-service offensive that’s knocked their sites offline.

As if looking to further stoke fear and uncertainty, Deputy Attorney General Rod Rosenstein recently spoke in Washington, D.C. on how the Department of Justice is continuing to target crime on the dark web.

Screen Shot 2017-10-31 at 08.44.51

Paranoia haunts the mood of those who remain as many wait for the next looming law enforcement sting. Those actions have sown a deep distrust among the markets’ purveyors and customers, whom are often looking for drugs, malware, stolen data, exploitation material and other ways to commit fraud.  This is on top of a customer base that already goes to great lengths to conceal identity, hiding behind anonymization technology like the Tor browser, and paying for wares via cryptocurrencies like Bitcoin and Monero.

The turbulence these dark web marketplaces have dealt with beyond the arrests has been unprecedented. Scams and cyberattacks are common, as those looking to replace the reliable crime superstores of the past are struggling. To top it off, a new class of scammers is seizing on the chaos, launching phishing attacks to steal cryptocurrency from the dark web’s faithful.

“This year turned things the other way around,” one dark net market customer lamented on a subreddit dedicated to the marketplaces. “It is like a dead place now to be very honest. Sales have dropped, there are more scammers in the market now, people are losing their money or assets, most of the good vendors are gone, people are scared.”

A host of dark net markets are under attack. This is the error message visitors get when they visit Dream Market.

There are “a few hints but definitely more questions than answers,” Emily Wilson, a researcher at Terbium Labs, told CyberScoop. “We know the markets are being DDoSed, we know it’s a fairly coordinated effort. It’s been going on for two weeks now.”

The attackers have made what some forum administrators call “silly demands,” implying that lucrative extortion is the goal. The latest incident echoes past incidents, like the 2013 denial of service attack against Silk Road when hackers successfully made the market pay a ransom in order to for attacks to stop.

But more recent history shows AlphaBay, the largest dark web market for a period of around three years, went dark for nearly two weeks before it was revealed that an international law enforcement operation was behind the outage.

One result of the attacks are increasing distrust of centralized markets. Instead of sticking to the big players, dark web dwellers are now following smaller, speciality vendors to get their malware, fraudulent data and drugs.

The impact has been uneven. The drug market has been hit hardest, but crooks selling fraud and malware have carried on with little downtime in large part because those economies also operate on the public web.

To deal with the denial-of-service attacks, some markets have put up site mirrors at different addresses. The tactic makes it more difficult for attackers to hit a moving target, but it also makes it easier for phishing scams to fool victims who don’t know which market is real or fake.

“We can’t expect to see nine markets DDoSed forever,” Wilson said. “It depends on who is behind it. The fact that the DOJ has made hardline remarks about going after the dark net makes me think we’ll see increased instability over the coming months and years. The question then is, are people going to pop up new markets and take their chances? Will we see more peer to peer trade? We’re all waiting to see.”

If a mountain of unanswered questions looms over the dark web, at least one has been answered.

“The question we all had six months ago was, ‘Are we going to see another AlphaBay pop up quickly?’” Wilson said. “The answer is no.”

Source: https://www.cyberscoop.com/dark-web-ddos-attacks-dream-market-wall-street-market/

  • 0

33% of businesses hit by DDoS attack in 2017, double that of 2016

Distributed Denial of Service attacks are on the rise this year, and used to gain access to corporate data and harm a victim’s services, according to a Kaspersky Lab report.

Cybercriminals are increasingly turning to Distributed Denial of Service (DDoS) this year, as 33% of organizations faced such an attack in 2017—up from just 17% in 2016, according to a new report from Kaspersky Lab.

These cyber attacks are hitting businesses of all sizes: Of those affected, 20% were very small businesses, 33% were SMBs, and 41% were enterprises.

Half of all businesses reported that the frequency and complexity of DDoS attacks targeting organizations like theirs is growing every year, highlighting the need for more awareness and protection against them, according to Kaspersky Lab.

Of the companies that were hit in 2016, 82% said that they faced more than one DDoS attack. At this point in 2017, 76% of those hit said they had faced at least one attack.

Cybercriminals use DDoS attacks to gain access to valuable corporate data, as well as to cripple a victim’s services, Kaspersky Lab noted. These attacks often result in serious disruption of business: Of the organizations hit by DDoS attacks this year, 26% reported a significant decrease in performance of services, and 14% reported a failure of transactions and processes in affected services.

Additionally, some 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime. Half (50%) of these respondents said that the attack hid a malware infection, 49% said that it masked a data leak or theft, 42% said that it was used to cover up a network intrusion or hacking, and 26% said that it was hiding financial theft, Kaspersky Lab found.

These results are part of Kaspersky Lab’s annual IT Security Risks survey, which included responses from more than 5,200 representatives of small, medium, and large businesses from 29 countries.

“The threat of being hit by a DDoS attack – either standalone or as part of a greater attack arsenal – is showing no signs of diminishing,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab, in a press release. “It’s not a case of if an organization will be hit, but when. With the problem growing and affecting every type and size of company, it is important for organizations to protect their IT infrastructure from being infiltrated and keep their data safe from attack.”

Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.

  • 33% of organizations experienced a DDoS attack in 2017, compared to 17% in 2016. -Kaspersky Lab, 2017
  • Of organizations hit by DDoS attacks, 20% were very small businesses, 33% were SMBs, and 41% were enterprises. -Kaspersky Lab, 2017
  • 53% of companies reported that DDoS attacks against them were used as a smokescreen to cover up other types of cybercrime, including malware, data leaks, and financial theft. -Kaspersky Lab, 2017

Source: http://www.techrepublic.com/article/33-of-businesses-hit-by-ddos-attack-in-2017-double-that-of-2016/

  • 0

DDoS attacks double as corporate data becomes new target

While more organisations are being hit by a DDoS attacks in 2017 compared to last year, less are being hit by more than one.

DDoS attacks have increased in frequency in 2017, with 33 per cent of organisations having faced one this year compared to just 17 per cent in 2016.

While DDoS attacks have been previously used to disable the operations of a target, the driving motivation to use it now is the theft of corporate data.

Over a third of organisations having been hit by a DDoS attack this year, 20 per cent have been small businesses, 33 per cent medium, and 41 per cent have been in the enterprise category. Security provider Kaspersky is behind this data, with findings from its Global IT Security Risks Survey 2017.

The damage inflicted by a DDoS attack may prove more long lasting than some might expect, with 26 per cent of businesses hit reporting a lasting impact on the performance of services.

Russ Madley, Head of VSMB & channel at Kaspersky Lab UK, said: “While DDoS attacks have been a threat for many years, it’s still important that businesses take DDoS attacks seriously as they are one of the most popular weapons in a cybercriminal’s arsenal. They can be just as damaging to a business as any other cybercrime, especially if used as part of a bigger targeted attack.”

It important to remember that DDoS attack can leave an organisation lame as it returns to regular activity, but an attack can also have a direct and immediate impact on reputation and the financial standing of a business.

“The ramifications caused by these types of attacks can be far-reaching as they’re able to reach deep into a company’s internal systems. Organisations must understand that protection of the IT infrastructure requires a comprehensive approach and continuous monitoring, regardless of the company’s size or sphere of activity,” said Madley.

While more organisations are facing DDoS attacks, the percentage of businesses hit by more than one has dropped this year to 76 per cent, a reduction from the 82 per cent that experienced more than one last year.

Source: http://www.cbronline.com/news/cybersecurity/ddos-attacks-double-corporate-data-becomes-new-target/

  • 0

DDoS trends, DNS survey signal warnings to infosec pros

Two vendor reports out this week may be of interest to CISOs in planning their defensive strategies.

—Imperva, a supplier of DDoS protection services, said it found a new attack tactic, nicknamed “pulse wave DDoS”, due to the traffic pattern it generates: A rapid succession of attack bursts that split a botnet’s attack output, enabling an offender to go after multiple targets. One such attack was also the largest network layer assault it mitigated in the second quarter peaked at 350 Gbps.

–Meanwhile Infoblox Inc., which makes IP address management solutions, released a global survey finding that DNS security is often overlooked when it comes to cybersecurity strategy, with most companies inadequately prepared to defend against DNS attacks.

Imperva’s announcement is included in its Q2 Global DDoS Threat Landscape report, on data from 2,618 network layer and 12,825 application layer DDoS attacks on customers’ Websites that use its services.

The pulse wave DDoS tactic was described in an August blog , and researchers think it is designed to double a botnet’s output and exploit soft spots in “appliance first cloud second” hybrid mitigation solutions.  “It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.

“Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.”

Researchers suspect the tactic allows the threat actors behind it to switch targets on the fly.

One suggested defence for organizations that have a DDoS mitigation provider is to double checking the ‘time to mitigation’ clause in the service level agreement.

The report also notes two trends: First, the continued decline in network level attacks (at least for Imperva customers) and the continued increase (although in Q2 there was a slight dip) in application level attacks. Second, that the second quarter 75.9 percent of targets were subjected to multiple attacks—the highest percentage the company has seen.

Number of targets subjected to repeat DDoS attacks. Imperva graphic

The Infoblox global survey of over 1,000 security and IT professionals found  respondents indicating that 86 per cent of those whose firms have DNS solutions said they failed to first alert teams of an occurring DNS attack, and nearly one-third of professionals doubted their company could defend against the next DNS attack. Twenty per cent of companies were first alerted to DNS attacks by customer complaints.

In a release summarizing the survey (available here. Registration required), three out of 10 companies said they have already been victims of DNS attacks. Of those, 93 per cent have suffered downtime as a result of their most recent DNS attack. 40 percent were down for an hour or more, substantially impacting their business.

Only 37 per cent of respondents said their companies were able to defend against all types of DNS attacks (hijacking, exploits, cache poisoning, protocol anomalies, reflection, NXDomain, amplification).

Twenty-four per cent of respondents said their companies lost US $100,000 or more from their last DNS attack.

“Most organizations regard DNS as simply plumbing rather than critical infrastructure that requires active defense,”  Cricket Liu, chief DNS architect at Infoblox, said in the release. “Unfortunately, this survey confirms that, even on the anniversary of the enormous DDoS attack against Dyn—a dramatic object lesson in the effects of attacks on DNS infrastructure—most companies still neglect DNS security. Our approach to cybersecurity needs a fundamental shift: If we don’t start giving DNS security the attention it deserves, DNS will remain one of our most vulnerable Internet systems, and we’ll continue to see events like last year’s attack.”

Source: https://www.itworldcanada.com/article/ddos-trends-dns-survey-signal-warnings-to-infosec-pros/397309

  • 0

Pulse-Wave DDoS Attacks Mark a New Tactic in Q2

A new tactic for DDoS is gaining steam: the pulse wave attack. It’s called such due to the traffic pattern it generates—a rapid succession of attack bursts that split a botnet’s attack output.

According to Imperva’s latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services during Q2 2017, the largest network layer assault it mitigated peaked at 350Gbps. The tactic enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone, the company said.

“A DDoS attack typically takes on a wave form, with a gradual ramp-up leading to a peak, followed by either an abrupt drop or a slow descent,” the company explained. “When repeated, the pattern resembles a triangle, or sawtooth waveform. The incline of such DDoS waves marks the time it takes the offenders to mobilize their botnets. For pulse wave attacks, a lack of a gradual incline was the first thing that caught our attention. It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.”

Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds, Imperva noted. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

“We realized it makes no sense to assume that the botnet shuts down during those brief ‘quiet times’,” the firm said. “Instead, the gaps are simply a sign of offenders switching targets on-the-fly, leveraging a high degree of control over their resources. This also explained how the attack could instantly reach its peak. It was a result of the botnet switching targets on-the-fly, while working at full capacity. Clearly, the people operating these botnets have figured out the rule of thumb for DDoS attacks: moments to go down, hours to recover. Knowing that—and having access to an instantly responsive botnet—they did the smart thing by hitting two birds with one stone.”

Pulse-wave attacks were carried out encountered on multiple occasions throughout the quarter, according to Imperva’s data.

In the plus column, this quarter, there was a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099 in Q1. However, don’t rejoice just quite yet.

“There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend,” said Igal Zeifman, Incapsula security evangelist at Imperva—noting the change was minor at best.

Conversely, the quarter for the fifth time in a row saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter.

“The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape,” Zeifman said. “There are several possible reasons for this shift, one of which is the ever-increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.”

For instance one of the most prevalent trends Incapsula observed in the quarter was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row.

In the second quarter of the year, 75.9% of targets were subjected to multiple attacks—the highest percentage Imperva has ever seen. Notably, US-hosted websites bore the brunt of these repeat assaults—38% were hit six or more times, out of which 23% were targeted more than 10 times. Conversely, 33.6% of sites hosted outside of the US saw six or more attacks, while “only” 19.5% saw more than 10 assaults in the span of the quarter.

“This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out,” Zeifman said. “What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target.

Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India.

In Turkey, Imperva recorded more than 3,000 attacking devices that generated over 800 million attack requests, more than double the rate of last quarter.

In Ukraine and India, it recorded 4,300 attacking devices, representing a roughly 75% increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter.

Meanwhile, as the origin of 63% of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of attacking countries.

Source: https://www.infosecurity-magazine.com/news/pulsewave-ddos-attacks-mark-q2/

  • 0