DDoS Attacks Ebb and Flow After Webstresser Takedown
Shortly after Infosecurity Magazine reported that administrators of the world’s largest DDoS-as-a-service website had been arrested, Link11 wrote a blog post, concluding that “In the short period of time since that date, the Link11 Security Operation Center (LSOC) has seen a roughly 60% decline in DDoS attacks on targets in Europe.”
The reported deduction differs significantly from the findings of Corero Network Security. President Andrew Lloyd questioned the conclusions drawn by Link11, saying, “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action.”
In stark contrast to the LSOC findings, Corero noticed a spike in distributed denial-of-service (DDoS) attacks around 17 April but said, “Since then, European attacks have remained higher in the second half of the month versus the first half of April and the year as a whole.”
The news that law enforcement agencies had closed down Webstresser.org was a big win for cybercrime fighters. “But even so, the number of attacks will only decrease temporarily,” said Onur Cengiz, head of the Link11 security operation center. “Experience has shown in recent years that for every DDoS attack marketplace taken out, multiple new platforms will pop up like the heads of a hydra.”
A Kaspersky Lab study released on 26 April, on the heels of the Webstreser takedown, gives evidence that supports the changing tides of DDoS attack types and the ebb and flow of attacks Cengiz’s alluded to in his statement.
According to the Kaspersky Lab DDoS report, Q1 revealed an increased number of DDoS attacks and targets, but there are distinctions among the different attack methods. “Amplified” attacks were beginning to wane but had a bit of a boost in momentum, while network time protocol (NTP) and DNS-based boosting had almost disappeared after most vulnerable services were patched.
DDoS attacks as a means of personal revenge grew more popular in Q1 2018. Also trending were Memcached attacks that resemble a typical DDoS attack; however, according to the Kaspersky report, “Cybercriminals will likely seek out other non-standard amplification methods besides Memcached.”
As server owners patch vulnerabilities, there will be dips in certain types of attacks. “That being the case, DDoS masterminds will likely seek out other amplification methods, one of which could be LDAP services,” the Kaspersky report authors wrote.