Attacks/Breaches

Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved.

DDoS attacks don't arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai's report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of "script kiddies.”

"I believe [kids are] growing up faster because they're exposed to it," says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. "They also have a greater amount of time they can commit to it." She continues, "Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target."

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker's arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. "Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond," Beegle says. Now, "I've seen attacks that were a week long, where [the attacker] changed the dynamics during the attack," she says. Moving forward, Beegle expects both types of attacks to continue. "I think there will always be the mix, depending on who the target is and who the attacker is," she says. "We've seen some nation-state action and that will always be different than the script kiddies."

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...