Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/25/2020
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Another Record-Breaking DDoS Attack Signals Shift in Criminal Methods

Malicious botnet sources explode in new attacks that push boundaries in terms of volume and duration.

The past month has seen a spate of record-breaking and intensely long distributed denial-of-service (DDoS) attacks leveled at hosting providers and enterprises, suggesting a shift in tooling and botnet sourcing among the most advanced professional threat actors. 

The latest attack was revealed by researchers at Akamai, who today reported another high-water mark. On June 21 its team mitigated the largest-ever packet-per-second DDoS attack that they'd ever recorded on their platform, one that was double the volume of the previous packets-per-second peak.  

At its height, the attack sought to overwhelm its target, a large European bank, with 809 million packets per second. The attack ramped up very quickly, moving from normal traffic patterns to its peak volume within two minutes and lasting just under 10 minutes. Packet-based DDoS attacks work on the same general principle as more common bits-per-second attacks, as both try to overwhelm the target company's infrastructure, just in slightly different ways. Whereas bits-per-second volumetric attacks try to overload the inbound pipeline, packets-per-second volumetric attacks work to exhaust internal network resources. 

"One way to think about the difference in DDoS attack types is to imagine a grocery store checkout. A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out," explains Tom Emmons in a blog post today. "However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it."

According to his colleague Roger Barranco, vice president of global security operations at Akamai, for just over a year now attackers have been starting to mildly shift toward attacks with lower bits per second and higher packets per second, likely looking for weak spots in enterprise DDoS mitigation measures, which are often best-equipped for frequent bandwidth attacks. 

"Since bps-focused attacks were historically more commonplace, more defenses were built to defend that vector, resulting in comparatively fewer pps attack defensive postures being built, which in some cases was a chink in the armor of many enterprises," he says. "Related, the recent 809-million-pps attack we mitigated set a new bar for enterprises to consider when performing a risk assessment." 

The truth is that criminals have been turning up the heat with higher and higher volumes of both varieties of attack lately. The announcement of this packet-based DDoS comes just a week after Akamai came forward with news that it had recently rebuffed the largest-ever bandwidth attack as well. Targeted against a website of a major hosting provider, that attack in early June clocked in at 1.44 terabits per second. That particular attack had actually closely followed up on a 500 gigabits-per-second attack against a different website hosted by the same provider, which may not have been as groundbreaking for many well-equipped organizations like that provider, but it was massive in its own right. 

"Context is important here. For example, those with a massive infrastructure and associated skilled resources may not get too excited about a 500-Gbps attack, but I guarantee you that it is an infinitesimal percentage of enterprises that have the pipe and gear in place that can block a 500-Gbps attack while allowing healthy traffic to still reach them," Barranco says. "We may be looking at a new normal where a terabit-plus attack is no longer considered an extreme exception." 

Like the packet-based attack revealed today, the landmark bandwidth attack lasted just around 10 minutes. This is de riguer for most DDoS attacks of all volume size. According to research from Imperva, approximately 26% of all attacks last just under 10 minutes and 29% last only one to six hours. In May some 70% of attacks lasted less than 24 hours. This is mostly a function of the fact that it usually only takes that long for the bad guys to achieve their DDoS attack objectives. 

"As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact," explains Nadav Avital, head of security research at Imperva. 

However, Avital's team this week highlighted findings of some exceptionally long application DDoS attacks Imperva mitigated in May that have some striking similarities to the high-volume attacks found by Akamai. Imperva Research Labs reported that two unusually long attacks last month lasted five to six days in duration. 

"Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults," Avital says.

Imperva reported that these two very long attacks were perpetrated by botnets using as many as 10 times the number of malicious IP sources as found in average attacks recently. This echoes Akamai findings about the malicious sources of traffic fueling the record-breaking attack announced today, which used 600 times the number of source IPs per minute than what it normally sees.

"Over the last couple years, while DDoS frequency has been increasing, it has not increased in size and complexity at the same rate as IoT being added to the Internet," explains Barranco, who says that after the Mirai Internet of Things (IoT) attack was disabled, a lot of the most intense DDoS started to dry up. These recent attacks indicate that this lull could be coming to an end.

"This leads me to believe there is newly leveraged DDoS tooling available – possibly to a smaller group of bad actors, but those tools always end up being generally available to a wider audience which, understandably, is concerning to many," he says.

Barranco says his team is still investigating the tooling used in both record-breaking attacks, but they suspect they aren't necessarily brand new —  they're just being used in more organized and focused fashion.

"I think the tools themselves may not have been novel, but the coordinated use of the tools and, of high importance, the dramatic increase in attack sources being leveraged by the tool is novel," he says. "The fact that many of these attacks are at full power within a couple minutes is impressive." 

Related Content:

 

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6287
PUBLISHED: 2020-07-14
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create a...
CVE-2020-6289
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, had insufficient protection against Cross-Site Request Forgery, which could be used to trick user in to browsing malicious site.
CVE-2020-6290
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, is vulnerable to Session Fixation attacks wherein the attacker tricks the user into using a specific session ID.
CVE-2020-6291
PUBLISHED: 2020-07-14
SAP Disclosure Management, version 10.1, session mechanism does not have expiration data set therefore allows unlimited access after authenticating once, leading to Insufficient Session Expiration
CVE-2020-6292
PUBLISHED: 2020-07-14
Logout mechanism in SAP Disclosure Management, version 10.1, does not invalidate one of the session cookies, leading to Insufficient Session Expiration.