Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/25/2020
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Another Record-Breaking DDoS Attack Signals Shift in Criminal Methods

Malicious botnet sources explode in new attacks that push boundaries in terms of volume and duration.

The past month has seen a spate of record-breaking and intensely long distributed denial-of-service (DDoS) attacks leveled at hosting providers and enterprises, suggesting a shift in tooling and botnet sourcing among the most advanced professional threat actors. 

The latest attack was revealed by researchers at Akamai, who today reported another high-water mark. On June 21 its team mitigated the largest-ever packet-per-second DDoS attack that they'd ever recorded on their platform, one that was double the volume of the previous packets-per-second peak.  

At its height, the attack sought to overwhelm its target, a large European bank, with 809 million packets per second. The attack ramped up very quickly, moving from normal traffic patterns to its peak volume within two minutes and lasting just under 10 minutes. Packet-based DDoS attacks work on the same general principle as more common bits-per-second attacks, as both try to overwhelm the target company's infrastructure, just in slightly different ways. Whereas bits-per-second volumetric attacks try to overload the inbound pipeline, packets-per-second volumetric attacks work to exhaust internal network resources. 

"One way to think about the difference in DDoS attack types is to imagine a grocery store checkout. A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out," explains Tom Emmons in a blog post today. "However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it."

According to his colleague Roger Barranco, vice president of global security operations at Akamai, for just over a year now attackers have been starting to mildly shift toward attacks with lower bits per second and higher packets per second, likely looking for weak spots in enterprise DDoS mitigation measures, which are often best-equipped for frequent bandwidth attacks. 

"Since bps-focused attacks were historically more commonplace, more defenses were built to defend that vector, resulting in comparatively fewer pps attack defensive postures being built, which in some cases was a chink in the armor of many enterprises," he says. "Related, the recent 809-million-pps attack we mitigated set a new bar for enterprises to consider when performing a risk assessment." 

The truth is that criminals have been turning up the heat with higher and higher volumes of both varieties of attack lately. The announcement of this packet-based DDoS comes just a week after Akamai came forward with news that it had recently rebuffed the largest-ever bandwidth attack as well. Targeted against a website of a major hosting provider, that attack in early June clocked in at 1.44 terabits per second. That particular attack had actually closely followed up on a 500 gigabits-per-second attack against a different website hosted by the same provider, which may not have been as groundbreaking for many well-equipped organizations like that provider, but it was massive in its own right. 

"Context is important here. For example, those with a massive infrastructure and associated skilled resources may not get too excited about a 500-Gbps attack, but I guarantee you that it is an infinitesimal percentage of enterprises that have the pipe and gear in place that can block a 500-Gbps attack while allowing healthy traffic to still reach them," Barranco says. "We may be looking at a new normal where a terabit-plus attack is no longer considered an extreme exception." 

Like the packet-based attack revealed today, the landmark bandwidth attack lasted just around 10 minutes. This is de riguer for most DDoS attacks of all volume size. According to research from Imperva, approximately 26% of all attacks last just under 10 minutes and 29% last only one to six hours. In May some 70% of attacks lasted less than 24 hours. This is mostly a function of the fact that it usually only takes that long for the bad guys to achieve their DDoS attack objectives. 

"As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact," explains Nadav Avital, head of security research at Imperva. 

However, Avital's team this week highlighted findings of some exceptionally long application DDoS attacks Imperva mitigated in May that have some striking similarities to the high-volume attacks found by Akamai. Imperva Research Labs reported that two unusually long attacks last month lasted five to six days in duration. 

"Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults," Avital says.

Imperva reported that these two very long attacks were perpetrated by botnets using as many as 10 times the number of malicious IP sources as found in average attacks recently. This echoes Akamai findings about the malicious sources of traffic fueling the record-breaking attack announced today, which used 600 times the number of source IPs per minute than what it normally sees.

"Over the last couple years, while DDoS frequency has been increasing, it has not increased in size and complexity at the same rate as IoT being added to the Internet," explains Barranco, who says that after the Mirai Internet of Things (IoT) attack was disabled, a lot of the most intense DDoS started to dry up. These recent attacks indicate that this lull could be coming to an end.

"This leads me to believe there is newly leveraged DDoS tooling available – possibly to a smaller group of bad actors, but those tools always end up being generally available to a wider audience which, understandably, is concerning to many," he says.

Barranco says his team is still investigating the tooling used in both record-breaking attacks, but they suspect they aren't necessarily brand new —  they're just being used in more organized and focused fashion.

"I think the tools themselves may not have been novel, but the coordinated use of the tools and, of high importance, the dramatic increase in attack sources being leveraged by the tool is novel," he says. "The fact that many of these attacks are at full power within a couple minutes is impressive." 

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
APT Groups Set Sights on Linux Targets: Inside the Trend
Kelly Sheridan, Staff Editor, Dark Reading,  9/11/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5605
PUBLISHED: 2020-09-18
Directory traversal vulnerability in WHR-G54S firmware 1.43 and earlier allows an attacker to access sensitive information such as setting values via unspecified vectors.
CVE-2020-5606
PUBLISHED: 2020-09-18
Cross-site scripting vulnerability in WHR-G54S firmware 1.43 and earlier allows remote attackers to inject arbitrary script via a specially crafted page.
CVE-2020-5628
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
CVE-2020-5629
PUBLISHED: 2020-09-18
UNIQLO App for Android versions 7.3.3 and earlier allows remote attackers to lead a user to access an arbitrary website via a malicious App created by the third party. As a result, if the access destination is a malicious website, the user may fall victim to the social engineering attack.
CVE-2020-25756
PUBLISHED: 2020-09-18
** DISPUTED ** A buffer overflow vulnerability exists in the mg_get_http_header function in Cesanta Mongoose 6.18 due to a lack of bounds checking. A crafted HTTP header can exploit this bug. NOTE: a committer has stated "this will not happen in practice."