Attacks/Breaches

7/3/2018
04:40 PM
50%
50%

Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved.

DDoS attacks don't arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai's report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of "script kiddies.”

"I believe [kids are] growing up faster because they're exposed to it," says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. "They also have a greater amount of time they can commit to it." She continues, "Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target."

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker's arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. "Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond," Beegle says. Now, "I've seen attacks that were a week long, where [the attacker] changed the dynamics during the attack," she says. Moving forward, Beegle expects both types of attacks to continue. "I think there will always be the mix, depending on who the target is and who the attacker is," she says. "We've seen some nation-state action and that will always be different than the script kiddies."

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.