Attacks/Breaches

9/20/2018
02:30 PM
Carlos Morales
Carlos Morales
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What's causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research's recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What's behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate's website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call "cyber reflection," when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone's viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today's DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices. 

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Carlos Morales is a Vice President responsible for NETSCOUT Arbor's pre-sales organization and sales for Arbor Cloud DDoS Mitigation and Managed Security Services lines of business. Carlos leads one of the industry's pre-eminent teams of pre-sales engineers providing ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.