04:39 PM
Connect Directly

Anonymous Group Abandoning DDoS Attacks

Operation Payback never rated as more than a nuisance, according to Arbor Networks' analysis of 5,000 confirmed DDoS attacks over the past year at large carriers.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

The Operation Payback distributed denial of service (DDoS) attack is declining. Furthermore, the small scale and low sophistication of the attack has meant that almost any Internet service provider should have been able to block it.

Those findings come from Craig Labovitz, chief scientist at Arbor Networks, who on Tuesday detailed what Arbor is billing as the biggest-ever study of real DDoS attack data, comprising 5,000 confirmed attacks over the past year that affected 37 large carriers and content providers around the world.

Even at its peak, Operation Payback was "more of an annoyance than an imminent critical infrastructure threat," said Labovitz, who likened it not to "cyber war," as some have characterized it, but rather simple "cyber-vandalism." "While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted Web pages or lightly read blogs -- not the far more critical back-end infrastructure servicing commercial transactions."

As suggested by the Anonymous collective's recent shift to sending faxes to their target companies, "by the end of [last] week, Anonymous followers had mostly abandoned their attack plans as ineffective," he said.

Beyond Operation Payback, the Arbor study offers new insights into DDoS trends and attacks, gleaned from data that Arbor began measuring in its own products two years ago, as well as by collecting anonymous ATLAS statistics, which are available from about 75% of all Internet carriers.

For grading DDoS attacks, Arbor classifies each based on its scale and sophistication. "At the high end in 2010, we observed a number of DDoS attacks in the 50+ Gbps range," said Labovitz. These large, flooding attacks comprised 60% of all confirmed DDoS attacks in 2010, and are typically designed "to exceed the inbound aggregate bandwidth capacity of data centers and carrier backbone links" by overwhelming them with packets, he said.

Meanwhile on the low end, comprising 27% of attacks, "we encounter attacks focused not on denying bandwidth, but the back-end computation, database, and distributed storage resources of large Web services," he said. "For example, service or application level attacks may focus on a series of Web or API calls that force an expensive database transaction or calls to slow storage servers."

In other words, overwhelm servers, applications, SIP, HTTP or TCP state not with volume, but rather the right kinds of calls, and DDoS attacks can succeed through sophistication, rather than scale.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

Published: 2014-07-29 in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio