Linux bots account for 95 percent of DDoS attacks as attackers turn to the past
Cybercriminals are delving into the past to launch attacks based on some very old vulnerabilities according to the latest report from Kaspersky Lab, and they’re using Linux to do it.
In the second quarter of 2018, experts have reported DDoS attacks involving a vulnerability in the Universal Plug-and-Play protocol known since 2001. Also, the Kaspersky DDoS Protection team observed an attack organized using a vulnerability in the CHARGEN protocol that was described as far back as 1983.
Despite the considerable length of service and the protocol’s limited scope, many open CHARGEN servers can be found on the internet for things like printers and copiers.
Activity by Windows-based DDoS botnets decreased almost seven fold over the quarter, while the activity of Linux-based botnets grew by 25 percent. This has resulted in Linux bots accounting for 95 percent of all DDoS attacks in Q2, which also caused a sharp increase in the share of SYN flood attacks — up from 57 percent to 80 percent.
Among other findings of the Q2 2018 DDoS Intelligence Report are that Hong Kong found itself among the top three most attacked countries, coming in second — its share increased five fold and accounted for 17 percent of all botnet-assisted DDoS attacks. The most attacked resources in Hong Kong were hosting services and cloud computing platforms. In addition, China and the US remained first and third respectively, while South Korea dropped down to fourth.
In the top 10 of countries hosting the most active command and control (C&C) servers, the US leads, accounting for almost half (45 percent) of all active botnet C&C servers in Q2. Meanwhile, Vietnam joined the list while Hong Kong dropped out of the top 10.
“There can be different motives for DDoS attacks — political or social protest, personal revenge, competition,” says Alexey Kiselev, project manager on the Kaspersky DDoS Protection team. “However, in most cases, they are used to make money, which is why cybercriminals usually attack those companies and services where big money is made. DDoS attacks can be used as a smokescreen to steal money or to demand a ransom for calling off an attack. The sums of money gained as a result of extortion or theft can amount to tens or hundreds of thousands and even millions of dollars. In that context, protection against DDoS attacks looks like a very good investment.”
One of the most popular methods of monetizing DDoS attacks remains the targeting of cryptocurrencies and currency exchanges. In Q2, Verge cryptocurrency suffered an attack on some mining pools over the course of several hours, resulting in $35 million XVGs being stolen in the ensuing confusion.
Gaming platforms continue to be a target as well, particularly during eSports tournaments. According to Kaspersky Lab, DDoS attacks affect not only game servers (which is often done to extort a ransom in return for not disrupting the competition) but also the gamers themselves who connect from their own platforms. An organized DDoS attack on a team’s key players can easily result in that team losing and being eliminated from a tournament. Cybercriminals use similar tactics to monetize attacks on channels streaming broadcasts of video games. Competition in this segment is intense, and by using DDoS attacks, cybercriminals can interfere with online broadcasts and, consequently, a streamer’s earnings.