Attacks/Breaches
1/28/2014
03:07 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

DDoS Just Won't Die

Record-breaking 309 Gbps distributed denial-of-service attack reported, and attackers continue to employ new ways of flooding and overwhelming struggling targets

It's one of the more crude and old-school cyberattacks, but the distributed denial-of-service (DDoS) attack just keeps getting stronger, faster, and harder to deflect: New data published today shows the largest attack last year registered three times the volume of DDoS attacks in previous years, and attacks against SSL-protected websites jumped nearly 20 percent.

"We are seeing a lot of Web [DDoS] attacks and encrypted attacks," says Gary Sockrider, solutions architect for the Americas at Arbor Networks, which released its annual Worldwide Infrastructure Security Report today that mentions a record-breaking 309-Gbps DDoS attack last year. "In the past three years, DDoSes had plateaued at a peak of around 100 Gbps. This year, the largest is 309 Gbps, three orders of magnitude larger."

Other security reports published today echo the same theme of more punishing DDoS attacks in the past year: Radware saw a 20 percent increase in severity of DDoS attacks, and Prolexic reports that DDoS attack volume increased month to month last year, with an increase of 30 percent in powerful, high bandwidth attacks.

Sockrider says respondents to the Arbor survey -- 68 percent of whom are service providers -- reported experiencing multiple DDoS attacks above 100 Gbps, which jives with what Arbor witnessed firsthand for its customers. While the DDoS attack in March 2013 against volunteer spam filtering organization Spamhaus was the largest on record at 300 Gbps traffic, there were likely copycats, he says.

The attackers behind the DDoS attack on Spamhaus abused improperly configured or default-state DNS servers, also known as open DNS resolvers, so this was no standard botnet-borne attack. Since DNS servers are large and run on high-speed Internet connections, the attackers were able to maximize a bigger bandwidth attack with fewer machines.

More than one-third of respondents in the Arbor survey say they were hit with DNS-based DDoS attacks that affected customers, up from 25 percent last year.

Hacktivists remain the top DDoS attackers, according to Arbor's report, but cybercriminals also are employing these destructive attacks to target businesses. Some 40 percent of DDoS attacks are waged for political or ideological reasons, respondents say, while 39 percent say the attack motivation is unknown. Some 16 percent say the attacks were used a diversion by the attackers for cybercrime activity such as stealing sensitive data.

Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, says DDoS attacks are becoming more serious, and increasingly are getting used in conjunction with other attacks. A DDoS can be used to overwhelm a company's security operations center, for instance, to weaken their defenses against other types of attacks. "So DDoS mitigation is crucial to filter the noise away," he says. Becoming overwhelmed by a DDoS can leave a back door open for other attacks while the organization is dealing with the DDoS, he says. "That's my main concern," Boscovich says.

If a criminal syndicate were to point a massive DDoS at a bank's network, for instance, it could take down their firewalls. "No firewall can scale to 50 to 60 Gbps of throughput, so it's going to fill up memory and saturate the system, so the security team has to take them down, reboot the ACLs [access control lists], turn off scanning, and during that period ... the criminals will use DDoS as a distraction to go after and exfiltrate data," says Jason Matlof, vice president of marketing for A10 Networks. "Criminal syndicates are getting more sophisticated, and botnets are a way to make money like they've never been able to make before."

Data Centers In the Bull's Eye
Data center operations are being targeted more by DDoS attacks, according to Arbor, with 70 percent of centers saying they saw a rise in attacks, versus 50 percent last year. More than one third say the attacks completely saturated their available Internet connections: "Twice as many said it exceeded their total bandwidth, so it had to be mitigated upstream," Sockrider says. "81 percent say they experienced operational expenses or business impact because of a DDoS."

Multiple DDoS attacks also were more frequent on data centers last year: some 10 percent say they suffered more than 100 DDoS attacks per month.

[Denial-of-service attacks powered by NTP amplification interrupted online-gaming services over the past month, renewing efforts to find solutions to the vulnerabilities. See No Easy Solution To Stop Amplification Attacks .]

Radware's DDoS survey found that 87 percent of enterprises and carriers have experienced some level of service disruption due to a DDoS attack, and 60 percent had an actual service degradation from a DDoS. "The negative impact of a service outage is already understood, but even small instances of service degradation can have harmful, lasting effects on an organization's brand image, customer satisfaction and ultimately its bottom line," says Avi Chesla, chief technology officer at Radware.

Meanwhile, application-layer DDoS attacks continue to become more prevalent, Arbor reports, with a 17 percent increase in DDoSes against encrypted, SSL/HTTP-S websites and services. "What they're trying to do is evade detection. These encrypted attacks tend to be fairly simplistic and they're not trying to hide their nature, but just trying to hide the fact that it is an attack," Sockrider says.

Encrypted application-layer DDoS attacks accounted for half of all Web attacks last year, according to Radware. Some 15 percent of its survey respondents say their Web application login pages were hit daily.

SSL DDoS attacks employ simple encryption algorithms, and encryption is becoming an option in many DDoS attack tools, Arbor's Sockrider says. This type of DDoS traffic can easily get passed to the server by the IPS or firewall: "On the surface, [the traffic] looks legitimate. It's very uncommon that they decrypt it to inspect it," he says.

These attacks are not high volume like infrastructure attacks, but instead are all about exhausting server or state table resources. "It's exhausting the resources of the application or host it runs on. And it's much harder to detect, and therefore you can't [typically] see it," Sockrider says.

Enterprises are the biggest DDoS target, according to Akamai, which today published its State of the Internet report for Q3 2013. Some 127 DDoS attacks were reported by enterprises during that period, 80 by commerce businesses, 42 by media and entertainment organizations, 18 by public sector organizations, and 14 by high-technology firms.

And once you're hit with a DDoS, there's a 25 percent chance you'll be attacked again within three months, Akamai estimates.

The bad news is many organizations just don't have a plan for defending against DDoS attacks, either. Nearly 45 percent of organizations surveyed recently by Corero have no DDoS response plan, while some 21 percent don't have a response team set up in the case of a DDoS attack targeting their networks. Around 60 percent say they don't have a designated DDoS response team, and 40 percent say they don't have a point of contact within their organizations when a DDoS hits.

Arbor's Worldwide Infrastructure Security Report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KeithR192
50%
50%
KeithR192,
User Rank: Apprentice
2/19/2014 | 11:07:38 PM
re: DDoS Just Won't Die
Yeah, that would be 100,000 Gbps! Does anyone have that much bandwidth?
bithammer
50%
50%
bithammer,
User Rank: Apprentice
1/29/2014 | 5:59:05 PM
re: DDoS Just Won't Die
Last I checked, 300 isn't "three orders of magnitude larger" than 100.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2014 | 4:08:53 PM
re: DDoS Just Won't Die
Crude and old-school indeed, but as long as it's effective, some kinds of attack never go out of style.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.