Attacks/Breaches
12/15/2010
04:39 PM
50%
50%

Anonymous Group Abandoning DDoS Attacks

Operation Payback never rated as more than a nuisance, according to Arbor Networks' analysis of 5,000 confirmed DDoS attacks over the past year at large carriers.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

The Operation Payback distributed denial of service (DDoS) attack is declining. Furthermore, the small scale and low sophistication of the attack has meant that almost any Internet service provider should have been able to block it.

Those findings come from Craig Labovitz, chief scientist at Arbor Networks, who on Tuesday detailed what Arbor is billing as the biggest-ever study of real DDoS attack data, comprising 5,000 confirmed attacks over the past year that affected 37 large carriers and content providers around the world.

Even at its peak, Operation Payback was "more of an annoyance than an imminent critical infrastructure threat," said Labovitz, who likened it not to "cyber war," as some have characterized it, but rather simple "cyber-vandalism." "While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted Web pages or lightly read blogs -- not the far more critical back-end infrastructure servicing commercial transactions."

As suggested by the Anonymous collective's recent shift to sending faxes to their target companies, "by the end of [last] week, Anonymous followers had mostly abandoned their attack plans as ineffective," he said.

Beyond Operation Payback, the Arbor study offers new insights into DDoS trends and attacks, gleaned from data that Arbor began measuring in its own products two years ago, as well as by collecting anonymous ATLAS statistics, which are available from about 75% of all Internet carriers.

For grading DDoS attacks, Arbor classifies each based on its scale and sophistication. "At the high end in 2010, we observed a number of DDoS attacks in the 50+ Gbps range," said Labovitz. These large, flooding attacks comprised 60% of all confirmed DDoS attacks in 2010, and are typically designed "to exceed the inbound aggregate bandwidth capacity of data centers and carrier backbone links" by overwhelming them with packets, he said.

Meanwhile on the low end, comprising 27% of attacks, "we encounter attacks focused not on denying bandwidth, but the back-end computation, database, and distributed storage resources of large Web services," he said. "For example, service or application level attacks may focus on a series of Web or API calls that force an expensive database transaction or calls to slow storage servers."

In other words, overwhelm servers, applications, SIP, HTTP or TCP state not with volume, but rather the right kinds of calls, and DDoS attacks can succeed through sophistication, rather than scale.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7912
Published: 2015-07-29
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory c...

CVE-2014-7913
Published: 2015-07-29
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corru...

CVE-2015-2977
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors.

CVE-2015-2978
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation."

CVE-2015-2979
Published: 2015-07-29
Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!