BLACK HAT USA – Las Vegas – The stereotype of the seedy cybercriminal from Russia or Eastern Europe may no longer be valid.
FBI agent Elliott Peterson told Black Hat attendees this morning that when it comes to the most recent DDoS attacks, the vast majority come from North America, Western Europe and Israel. And many are 16 to 17-years of age or in their mid-20s.
“Many use their nicknames on Skype or Twitter and they are heavy users of social media,” said Peterson.
Peterson and Andre Correa, cofounder of Malware Patrol, shared much of their recent research on DDoS attacks at a briefing session here this morning.
They focused much of their research on amplification and reflection attacks, booters/stressers and IoT and Linux-based botnets.
Peterson said the amplification and reflection attacks get a good rate of return: a hacker can send one byte and get 200 in return. The bad threat actors now sell amplification lists that criminals can easily buy over commercial web interfaces.
The booters and stressers are inexpensive, they cost roughly $5 to $20 a month and require very little technical knowledge for the criminal to deploy. And on the IoT front, botnets are creating scanning hosts for default credentials or vulnerabilities. A bot is then automatically downloaded and executed.
Over the past several months, Peterson and Correa have compiled more than 8 million records. They said last month, the leading DDoS type was SSDP at Port 1900.
“This was kind of interesting since most people may think that NTPs were the leading cause of DDoSs, but they scored much lower because many NTP servers have been patched of late,” said Correa.
Peterson said some of the criminals are just total scam artists.
“They just take your money and don’t do the attack,” he said. “On the other hand, there are also some sophisticated players offering turnkey DDoS services. They provide attack scripts, amp lists and good customer service, sometimes up to six people on hand.
Other findings: most attacks are in the 1-5 Gbps range, with the highest DDoS observed at 30 Gbps.