Attacks/Breaches

7/3/2018
04:40 PM
50%
50%

Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved.

DDoS attacks don't arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai's report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of "script kiddies.”

"I believe [kids are] growing up faster because they're exposed to it," says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. "They also have a greater amount of time they can commit to it." She continues, "Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target."

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker's arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. "Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond," Beegle says. Now, "I've seen attacks that were a week long, where [the attacker] changed the dynamics during the attack," she says. Moving forward, Beegle expects both types of attacks to continue. "I think there will always be the mix, depending on who the target is and who the attacker is," she says. "We've seen some nation-state action and that will always be different than the script kiddies."

Related content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.