The enterprise digital transformation has a dark side.
With so many new devices hooked into the Internet and with the Internet of Things (IoT) market expected to grow over the next several years, cybercriminal gangs, nation states and even determined individuals are harnessing all this power to increase the intensity of their attacks.
The number of distributed denial-of-service (DDoS) attacks has dropped when comparing the first half of 2017 to the first half of 2018, but the intensity of these incidents has only increased as threat actors take advantage of all these connected devices.
In the first of this year, the security world witnessed a 1.3 terabits per second (Tbit/s) attack that targeted GitHub, which was then followed by the largest DDoS attack ever recorded: 1.7 Tbit/s. That incident focused on an unnamed service provider in the US. (See Arbor Networks: 1.7Tbit/s DDoS Attack Sets Record.)
Additionally, there have been 47 recorded DDoS attacks measured at 300 gigabits per second (Gbit/s) or higher in the first half of 2018, compared with only seven during the same time last year.
These results are part of a threat intelligence report released by NetScout's Arbor security division today. The company looked at about 2.8 million different attacks in the first half of 2018, and found that the average attack sized increased by about 37% over the same time last year.
While attacks using IoT devices have been known for some time now, researchers started to observe these much more powerful attacks starting in early 2018 with the 1.7Tbit/s incident involving the service provider.
An analysis earlier this year by Arbor, Cloudflare and Qihoo 360's Network Security Research Laboratory (Netlab) took note of attacks using Memcache -- an open source distributed memory caching system -- as an enabler. This appears to be the case for DDoS attacks aimed at GitHub, Second Life and the larger one geared toward the service provider.
"The Memcached amplification technique was utilized and made available as part of numerous 'booter/stresser' services on the dark web in a short time frame after the vulnerability was publicly discussed," Hardik Modi, the senior director of Threat Intelligence at Netscout's Arbor's Asert, wrote in an email to Security Now.
"These services 'democratize' such attack techniques and made them available for relatively small amounts of money," Modi added. "Keeping that in mind, our understanding of the attack is that it may have been directed at a subscriber of the Service Provider, opening up a broad possibility of motivations, including something trivial like a person attempting to gain an advantage in online gaming."
The report also found an increase use in Simple Service Discovery Protocol (SSDP) attack, which exploit Universal Plug and Play (UPnP) networking protocols to send large amounts of traffic to the target or victim in order to overwhelm the infrastructure. (See Misconfigured Routers Could Be Used for Botnets, Espionage.)
"Instead of targeted intrusions based on custom frameworks and crafted malware, DDoS activity now often involves hundreds of thousands -- or even millions -- of victims who largely serve to amplify the attack or end up as collateral damage, as indicated by the SSDP diffraction attacks that originated in 2015 and resurfaced this year," according to the report.
Additionally, DDoS attacks are being utilized by a number of different threat actors, which now includes individuals and cybercriminal gangs, as well as nation-states utilizing advanced persistent threats (APTs).
One reason for this is that barrier for entry has decreased, says the report:
There has been increased innovation in DDoS attack tools and techniques. The availability of such improved tools has lowered the barrier of entry, making it easier for a broader spectrum of attackers to launch a DDoS attack. Attack targets have also diversified. It used to be that certain verticals were likely targets for a DDoS attack, with finance, gaming, and e-commerce atop the list. Today, any organization, for any real or perceived offense or affiliation, can become a target of a DDoS attack.
This is also the reason why the US government warnings have increased about attacks utilizing devices such as routers used for small businesses and in the home. VPNFilter could be the first of many such incidents. (See Talos: VPNFilter Malware Still Stands at the Ready.)
In the case of nation-states using these techniques, it's believed that cyber espionage groups use DDoS to distract targets from the real goal, which is usually infiltrating the network and remaining there for some time, Richard Hummel, manager of threat research at NetScout's Arbor's Asert, wrote in an email to Security Now.
"In this instance, they would use the DDoS to distract from their true intent, which is penetration into a network," Hummel wrote. "This type of distraction may serve an alternate purpose of taking down critical systems that would otherwise prevent an attacker from getting in. Second, it's widely believed that DDoS is a perfect smokescreen to disguise nefarious activity, similar to deploying ransomware in the final stages of an intrusion."
The report also found that these types of DDoS attacks are spreading throughout the world.
While the service provider targeted in the largest attack was based in the US, China saw the number of attacks measured at 500 Gbit/s increase from zero to 17 between the first half of last year to the first six months of 2018.
From here, this is only expected to grow in scale over the next few years as more and more devices are connected to the Internet. The report finds that the number of IoT devices vulnerable to attack will increase from 27 billion last year to 125 billion by 2030.
In addition to DDoS attacks, this increase in connected devices opens up the field to more malware.
"Malware authors will continue to leverage IoT-based malware in automated fashion, quickly increasing the botnet size through worm-like spreading, network proxy functionality, and automated exploitation of vulnerabilities in Internet-facing devices," according to the report.