Europe in the firing line of evolving DDoS attacks
The Europe, Middle East and Africa region accounts for more than half the world’s distributed denial of service attacks, a report from F5 Labs reveals.
The past year has seen a 64% rise in distributed denial of service (DDoS) attacks and greater tactical diversity from cyber criminals, according to customer data from F5’s Poland-based Security Operations Center (SOC).
However, more than 51% of attacks globally were targeted at organisations in Europe, the Middle East and Africa (Emea), and 66% involved multiple attack vectors, requiring sophisticated mitigation tools and knowledge, the report said.
The F5 report comes less than two weeks after several waves of powerful DDoS attacks hit banks and other organisations in the Netherlands.
Reflecting the spike in activity, F5 reported 100% growth for Emea customers deploying web application firewall (WAF) technology in the past year, while the adoption of anti-DDoS technology increased by 58%.
A key discovery was the relative drop in power for single attacks. In 2016, the F5 SOC logged multiple attacks of over 100Gbps, with some surpassing 400Gbps.
In 2017, the top attack stood at 62Gbps. This suggests a move towards more sophisticated Layer 7 (application layer) DDoS attacks that are potentially more effective and have lower bandwidth requirements.
“DDoS threats are on the rise in Emea and we’re seeing notable changes in their scope and sophistication compared with 2016,” said Kamil Wozniak, F5 SOC manager.
“Businesses need to be aware of the shift and ensure, as a matter of priority, that the right solutions are in place to halt DDoS attacks before they reach applications and adversely impact on business operations. Emea is clearly a hotspot for attacks on a global scale, so there is minimal scope for the region’s decision-makers to take their eyes off the ball,” he said.
Last year started with a bang, the report said, with F5 customers facing the widest range of disruptive attacks recorded to date in the first quarter of 2017.
User Diagram Protocol (UDP) floods stood out, representing 25% of all attacks. Attackers typically send large UDP packets to a single destination or random ports, disguising themselves as trustworthy entities before stealing sensitive data. The next most common attacks were DNS reflection (18%) and SYN flood attacks (16%).
The first quarter of 2017 was also the peak for Internet Control Message Protocol (ICMP) attacks, whereby cyber criminals overwhelm businesses with rapid “echo request” (ping) packets without waiting for replies. In stark contrast, the first-quarter attacks in 2016 were evenly split between UDP and Simple Service Discovery Protocol (SSDP) floods.
The second quarter of 2017 proved equally challenging, the report said, with SYN floods moving to the front of the attack pack (25%), followed by network time protocol and UDP floods (both 20%).
The attackers’ momentum continued into the third quarter, the report said, with UDP floods leading the way (26%). NTP floods were also prevalent (rising from 8% during the same period in 2016 to 22%), followed by DNS reflection (17%).
The year wound down with more UDP flood dominance (25% of all attacks). It was also the busiest period for DNS reflection, which accounted for 20% of all attacks (compared to 8% in 2016 during the same period).
Kamil Wozniak, F5 SOC
Another key discovery during the fourth quarter of 2017, and one that underlines cyber criminals’ capacity for agile reinvention, was how the Ramnit trojan dramatically extended its reach. Initially built to hit banks, F5 Labs found that 64% of Ramnit’s targets during the holiday season were US-based e-commerce sites.
Other new targets included sites related to travel, entertainment, food, dating and pornography. Other observed banking trojans extending their reach included Trickbot, which infects its victims with social engineering attacks, such as phishing or malvertising, to trick unassuming users into clicking malware links or downloading malware files.
“Attack vectors and tactics will only continue to evolve in the Emea region,” said Wozniak. “It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside. 2017 showed that more internet traffic is SSL/TLS encrypted, so it is imperative that DDoS mitigation systems can examine the nature of these increasingly sophisticated attacks.
“Full visibility and greater control at every layer are essential for businesses to stay relevant and credible to customers. This will be particularly important in 2018 as the EU General Data Protection Regulation comes into play,” he said.