Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/26/2018
12:50 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Kaspersky Lab DDoS Intelligence Report: Long-lasting Attacks, Amplification Attacks, Old Botnets Make a Comeback

Woburn, MA – April 26, 2018 – Today, Kaspersky Lab is announcing the availability of its latest Q1 2018 DDoS Intelligence Report, based on data from Kaspersky DDoS Intelligence*, which reveals an increase in activity by both old and new botnets, growth in the popularity of amplification DDoS attacks and the return of long-lasting (multi-day) DDoS attacks.

After a short respite, long-lasting attacks proved to be back in the first quarter of 2018 with the longest DDoS attack lasting 297 hours (more than 12 days). The last time we saw a longer attack than this was at the end of 2015.

Overall in first quarter of 2018, DDoS botnets attacked online resources in 79 countries. The countries experiencing the largest number of attacks were once again China, the U.S. and South Korea, which all continue to lead in terms of the number of servers available to attackers as well as the number of sites and services hosted on them. Meanwhile, Hong Kong and Japan replaced the Netherlands and Vietnam among the top 10 most targeted countries during Q1.

The report also shows significant changes to the top 10 countries hosting the most C&C servers (command & control) – with Italy, Hong Kong, Germany and the United Kingdom replacing Canada, Turkey, Lithuania and Denmark. These updates are most likely due to the number of active C&C servers of the Darkai (a clone of Mirai) and AESDDoS bots increasing dramatically, as well as the old Xor and Yoyo botnets resuming their activities. Although most of these botnets use Linux, the proportion of Linux-based botnets fell slightly in the first quarter of 2018 (66%) compared to the last quarter of 2017 (71%).

The end of the reporting period was marked by the Memcached floods that were unprecedented in terms of their power – in some cases exceeding 1TB. However, Kaspersky Lab experts anticipate its popularity to be short-lived because Memcached flood attacks not only affect their targets, but also the companies unwittingly involved in carrying out the attacks.

In fact, in February Kaspersky Lab was contacted by a company stating that their communication channels were overloaded, leading them to suspect they were being subjected to a DDoS attack. It turned out that one of the company’s servers with the vulnerable Memcached service was being used by criminals to attack another service and generated such large volumes of outgoing traffic that the company’s own web resources crashed. These attacks are doomed to be short-lived due to unwitting accomplices noticing the higher load and quickly patching the vulnerabilities to avoid losses.

Overall, the popularity of amplification attacks, which was previously on the decline, gained momentum in the first quarter of 2018. For example, Kaspersky Lab registered a rare type of attack, despite its effectiveness, in which the LDAP service was used as an amplifier. Along with Memcached, NTP and DNS, this service has one of the biggest amplification rates. However, unlike Memcached, LDAP junk traffic is barely capable of clogging the outgoing channel completely, making it more difficult for the owner of a vulnerable server to identify and remedy the situation. Despite the relatively small number of available LDAP servers, it is possible that this type of attack will become a hit on the Darknet in the coming months.

"Exploiting vulnerabilities is a favorite tool for cybercriminals whose business is the creation of DDoS botnets,” said Alexey Kiselev, project manager on the Kaspersky DDoS Protection team. “However, as the first few months of the year have shown, it’s not only the victims of DDoS attacks that are affected, but also those companies with infrastructure that includes vulnerable objects. The events of the first quarter reaffirm a simple truth: the platform companies use to implement multilayered online security must include regular patching of vulnerabilities and permanent protection against DDoS attacks.”

*The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27409
PUBLISHED: 2020-12-04
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
CVE-2020-27408
PUBLISHED: 2020-12-04
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
CVE-2020-27765
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause ot...
CVE-2020-27766
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long`. This would most likely lead to an impact to application availability, b...
CVE-2020-27767
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of types `float` and `unsigned char`. This would most likely lead to an impact to application avai...