Attacks/Breaches
12/15/2010
04:39 PM
50%
50%

Anonymous Group Abandoning DDoS Attacks

Operation Payback never rated as more than a nuisance, according to Arbor Networks' analysis of 5,000 confirmed DDoS attacks over the past year at large carriers.

Strategic Security Survey: Global Threat, Local Pain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)

The Operation Payback distributed denial of service (DDoS) attack is declining. Furthermore, the small scale and low sophistication of the attack has meant that almost any Internet service provider should have been able to block it.

Those findings come from Craig Labovitz, chief scientist at Arbor Networks, who on Tuesday detailed what Arbor is billing as the biggest-ever study of real DDoS attack data, comprising 5,000 confirmed attacks over the past year that affected 37 large carriers and content providers around the world.

Even at its peak, Operation Payback was "more of an annoyance than an imminent critical infrastructure threat," said Labovitz, who likened it not to "cyber war," as some have characterized it, but rather simple "cyber-vandalism." "While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted Web pages or lightly read blogs -- not the far more critical back-end infrastructure servicing commercial transactions."

As suggested by the Anonymous collective's recent shift to sending faxes to their target companies, "by the end of [last] week, Anonymous followers had mostly abandoned their attack plans as ineffective," he said.

Beyond Operation Payback, the Arbor study offers new insights into DDoS trends and attacks, gleaned from data that Arbor began measuring in its own products two years ago, as well as by collecting anonymous ATLAS statistics, which are available from about 75% of all Internet carriers.

For grading DDoS attacks, Arbor classifies each based on its scale and sophistication. "At the high end in 2010, we observed a number of DDoS attacks in the 50+ Gbps range," said Labovitz. These large, flooding attacks comprised 60% of all confirmed DDoS attacks in 2010, and are typically designed "to exceed the inbound aggregate bandwidth capacity of data centers and carrier backbone links" by overwhelming them with packets, he said.

Meanwhile on the low end, comprising 27% of attacks, "we encounter attacks focused not on denying bandwidth, but the back-end computation, database, and distributed storage resources of large Web services," he said. "For example, service or application level attacks may focus on a series of Web or API calls that force an expensive database transaction or calls to slow storage servers."

In other words, overwhelm servers, applications, SIP, HTTP or TCP state not with volume, but rather the right kinds of calls, and DDoS attacks can succeed through sophistication, rather than scale.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.