Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

DDoS Attacks Are Less Frequent, Much More Intense

A report from NetScout's Arbor security division finds that the frequency of DDoS attacks has dropped but the intensity has increased. Earlier this year, the company recorded a 1.7Tbit/s assault against a service provider.

The enterprise digital transformation has a dark side.

With so many new devices hooked into the Internet and with the Internet of Things (IoT) market expected to grow over the next several years, cybercriminal gangs, nation states and even determined individuals are harnessing all this power to increase the intensity of their attacks.

The number of distributed denial-of-service (DDoS) attacks has dropped when comparing the first half of 2017 to the first half of 2018, but the intensity of these incidents has only increased as threat actors take advantage of all these connected devices.

In the first of this year, the security world witnessed a 1.3 terabits per second (Tbit/s) attack that targeted GitHub, which was then followed by the largest DDoS attack ever recorded: 1.7 Tbit/s. That incident focused on an unnamed service provider in the US. (See Arbor Networks: 1.7Tbit/s DDoS Attack Sets Record.)

Additionally, there have been 47 recorded DDoS attacks measured at 300 gigabits per second (Gbit/s) or higher in the first half of 2018, compared with only seven during the same time last year.

These results are part of a threat intelligence report released by NetScout's Arbor security division today. The company looked at about 2.8 million different attacks in the first half of 2018, and found that the average attack sized increased by about 37% over the same time last year.

While attacks using IoT devices have been known for some time now, researchers started to observe these much more powerful attacks starting in early 2018 with the 1.7Tbit/s incident involving the service provider.

An analysis earlier this year by Arbor, Cloudflare and Qihoo 360's Network Security Research Laboratory (Netlab) took note of attacks using Memcache -- an open source distributed memory caching system -- as an enabler. This appears to be the case for DDoS attacks aimed at GitHub, Second Life and the larger one geared toward the service provider.

"The Memcached amplification technique was utilized and made available as part of numerous 'booter/stresser' services on the dark web in a short time frame after the vulnerability was publicly discussed," Hardik Modi, the senior director of Threat Intelligence at Netscout's Arbor's Asert, wrote in an email to Security Now.

"These services 'democratize' such attack techniques and made them available for relatively small amounts of money," Modi added. "Keeping that in mind, our understanding of the attack is that it may have been directed at a subscriber of the Service Provider, opening up a broad possibility of motivations, including something trivial like a person attempting to gain an advantage in online gaming."

The report also found an increase use in Simple Service Discovery Protocol (SSDP) attack, which exploit Universal Plug and Play (UPnP) networking protocols to send large amounts of traffic to the target or victim in order to overwhelm the infrastructure. (See Misconfigured Routers Could Be Used for Botnets, Espionage.)

"Instead of targeted intrusions based on custom frameworks and crafted malware, DDoS activity now often involves hundreds of thousands -- or even millions -- of victims who largely serve to amplify the attack or end up as collateral damage, as indicated by the SSDP diffraction attacks that originated in 2015 and resurfaced this year," according to the report.

Additionally, DDoS attacks are being utilized by a number of different threat actors, which now includes individuals and cybercriminal gangs, as well as nation-states utilizing advanced persistent threats (APTs).

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

One reason for this is that barrier for entry has decreased, says the report:

There has been increased innovation in DDoS attack tools and techniques. The availability of such improved tools has lowered the barrier of entry, making it easier for a broader spectrum of attackers to launch a DDoS attack. Attack targets have also diversified. It used to be that certain verticals were likely targets for a DDoS attack, with finance, gaming, and e-commerce atop the list. Today, any organization, for any real or perceived offense or affiliation, can become a target of a DDoS attack.

This is also the reason why the US government warnings have increased about attacks utilizing devices such as routers used for small businesses and in the home. VPNFilter could be the first of many such incidents. (See Talos: VPNFilter Malware Still Stands at the Ready.)

In the case of nation-states using these techniques, it's believed that cyber espionage groups use DDoS to distract targets from the real goal, which is usually infiltrating the network and remaining there for some time, Richard Hummel, manager of threat research at NetScout's Arbor's Asert, wrote in an email to Security Now.

"In this instance, they would use the DDoS to distract from their true intent, which is penetration into a network," Hummel wrote. "This type of distraction may serve an alternate purpose of taking down critical systems that would otherwise prevent an attacker from getting in. Second, it's widely believed that DDoS is a perfect smokescreen to disguise nefarious activity, similar to deploying ransomware in the final stages of an intrusion."

The report also found that these types of DDoS attacks are spreading throughout the world.

While the service provider targeted in the largest attack was based in the US, China saw the number of attacks measured at 500 Gbit/s increase from zero to 17 between the first half of last year to the first six months of 2018.

From here, this is only expected to grow in scale over the next few years as more and more devices are connected to the Internet. The report finds that the number of IoT devices vulnerable to attack will increase from 27 billion last year to 125 billion by 2030.

In addition to DDoS attacks, this increase in connected devices opens up the field to more malware.

"Malware authors will continue to leverage IoT-based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in Internet-facing devices," according to the report.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.