Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Connect Directly

Another Record-Breaking DDoS Attack Signals Shift in Criminal Methods

Malicious botnet sources explode in new attacks that push boundaries in terms of volume and duration.

The past month has seen a spate of record-breaking and intensely long distributed denial-of-service (DDoS) attacks leveled at hosting providers and enterprises, suggesting a shift in tooling and botnet sourcing among the most advanced professional threat actors. 

The latest attack was revealed by researchers at Akamai, who today reported another high-water mark. On June 21 its team mitigated the largest-ever packet-per-second DDoS attack that they'd ever recorded on their platform, one that was double the volume of the previous packets-per-second peak.  

At its height, the attack sought to overwhelm its target, a large European bank, with 809 million packets per second. The attack ramped up very quickly, moving from normal traffic patterns to its peak volume within two minutes and lasting just under 10 minutes. Packet-based DDoS attacks work on the same general principle as more common bits-per-second attacks, as both try to overwhelm the target company's infrastructure, just in slightly different ways. Whereas bits-per-second volumetric attacks try to overload the inbound pipeline, packets-per-second volumetric attacks work to exhaust internal network resources. 

"One way to think about the difference in DDoS attack types is to imagine a grocery store checkout. A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out," explains Tom Emmons in a blog post today. "However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it."

According to his colleague Roger Barranco, vice president of global security operations at Akamai, for just over a year now attackers have been starting to mildly shift toward attacks with lower bits per second and higher packets per second, likely looking for weak spots in enterprise DDoS mitigation measures, which are often best-equipped for frequent bandwidth attacks. 

"Since bps-focused attacks were historically more commonplace, more defenses were built to defend that vector, resulting in comparatively fewer pps attack defensive postures being built, which in some cases was a chink in the armor of many enterprises," he says. "Related, the recent 809-million-pps attack we mitigated set a new bar for enterprises to consider when performing a risk assessment." 

The truth is that criminals have been turning up the heat with higher and higher volumes of both varieties of attack lately. The announcement of this packet-based DDoS comes just a week after Akamai came forward with news that it had recently rebuffed the largest-ever bandwidth attack as well. Targeted against a website of a major hosting provider, that attack in early June clocked in at 1.44 terabits per second. That particular attack had actually closely followed up on a 500 gigabits-per-second attack against a different website hosted by the same provider, which may not have been as groundbreaking for many well-equipped organizations like that provider, but it was massive in its own right. 

"Context is important here. For example, those with a massive infrastructure and associated skilled resources may not get too excited about a 500-Gbps attack, but I guarantee you that it is an infinitesimal percentage of enterprises that have the pipe and gear in place that can block a 500-Gbps attack while allowing healthy traffic to still reach them," Barranco says. "We may be looking at a new normal where a terabit-plus attack is no longer considered an extreme exception." 

Like the packet-based attack revealed today, the landmark bandwidth attack lasted just around 10 minutes. This is de riguer for most DDoS attacks of all volume size. According to research from Imperva, approximately 26% of all attacks last just under 10 minutes and 29% last only one to six hours. In May some 70% of attacks lasted less than 24 hours. This is mostly a function of the fact that it usually only takes that long for the bad guys to achieve their DDoS attack objectives. 

"As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact," explains Nadav Avital, head of security research at Imperva. 

However, Avital's team this week highlighted findings of some exceptionally long application DDoS attacks Imperva mitigated in May that have some striking similarities to the high-volume attacks found by Akamai. Imperva Research Labs reported that two unusually long attacks last month lasted five to six days in duration. 

"Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults," Avital says.

Imperva reported that these two very long attacks were perpetrated by botnets using as many as 10 times the number of malicious IP sources as found in average attacks recently. This echoes Akamai findings about the malicious sources of traffic fueling the record-breaking attack announced today, which used 600 times the number of source IPs per minute than what it normally sees.

"Over the last couple years, while DDoS frequency has been increasing, it has not increased in size and complexity at the same rate as IoT being added to the Internet," explains Barranco, who says that after the Mirai Internet of Things (IoT) attack was disabled, a lot of the most intense DDoS started to dry up. These recent attacks indicate that this lull could be coming to an end.

"This leads me to believe there is newly leveraged DDoS tooling available – possibly to a smaller group of bad actors, but those tools always end up being generally available to a wider audience which, understandably, is concerning to many," he says.

Barranco says his team is still investigating the tooling used in both record-breaking attacks, but they suspect they aren't necessarily brand new —  they're just being used in more organized and focused fashion.

"I think the tools themselves may not have been novel, but the coordinated use of the tools and, of high importance, the dramatic increase in attack sources being leveraged by the tool is novel," he says. "The fact that many of these attacks are at full power within a couple minutes is impressive." 

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.3 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An att...
PUBLISHED: 2021-04-19
Buffer overflow in the tenc_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file, related invalid IV sizes.
PUBLISHED: 2021-04-19
Buffer overflow in the abst_box_read function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.
PUBLISHED: 2021-04-19
Memory leak in the stbl_GetSampleInfos function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.
PUBLISHED: 2021-04-19
The HintFile function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.