New data published this week demonstrates the troubling resilience of cybercriminals against mounting domestic and international efforts to stop them.
Nexusguard analyzed data gathered from multiple public and proprietary sources on distributed denial-of-service attacks during the first quarter of this year. The security vendor discovered that so-called booter websites offering DDoS services for hire more than doubled that quarter compared to the fourth quarter of 2018 - despite a major law enforcement crackdown on such sites in December.
DNS amplification attacks—one of the most popular booter services—soared 40% quarter-over-quarter amid uninterrupted demand among cybercriminals. Many of the DNS amplification attacks—where DNS servers are tricked into generating responses that are much larger than the original queries—targeted ISPs and telecommunications firms in Brazil.
Nexusguard's analysis also showed a continued trend toward what it calls bit-and-piece DDoS attacks, where threat actors contaminate a large and diverse pool of IP address with almost negligible sizes of junk traffic that converge and block a targeted IP.
Such attacks can be hard to mitigate because of the negligible size of the DDoS traffic being routed through each one of the hundreds of IP addresses used in an attack, says Donny Chong, product director of enterprise security solutions at Nexusguard.
"This form of attack hurts the service providers the most as it threatens to congest a service provider's pipe and causes widespread collateral damage for anyone on this pipe," he says.
In the first quarter of this year, such attacks became more automated and targeted, indicating that attackers have figured out how to launch them optimally, Nexusguard said in its report.
The growing popularity of bit-and-pieces attack may have also contributed to DDoS attack sizes overall—both average and peak—decreasing last quarter, Chong says. The maximum DDoS attack size that Nexusguard observed in Q1 of 2019 was 145.4GBps—a nearly 55% drop year over year. Average attack size at 0.823Gbps was almost 95% smaller than in Q1 of 2018.
Meanwhile, the trend toward the use of mobile devices and mobile botnets in DDoS attacks continued in the first quarter of 2019. Nexusguard's data shows that more than six-in-10 DDoS attacks in Q1 targeted at the application layer originated from mobile gateways. The average duration of DDoS attacks involving mobile botnets was around 531 minutes, compared to 187 minutes last year. About 40% of DDoS attacks involving mobile devices originated from Android phones, while about 21% were from iOS devices, Nexusguard found.
"The resurgence of booters, the optimization of bit-and pieces and mobile sources overtaking desktop computers, are significant findings," Chong says. But they are not unexpected. "If anything, it's more a confirmation of the trend and evolution that we're seeing."
Booter Services Back With a Vengeance
The resurgence of booter sites in particular is notable. Last December, the FBI—in collaboration with international counterparts—seized 15 Internet domains associated with some of the world's largest DDoS-for-hire-services.
Among the seized domains was Downthem, which either carried out or attempted to carry out, around 200,000 DDoS attacks between 2014 and 2018. Another seized domain—Quantum Stresser—had some 80,000 subscribers dating back to 2012 that in 2018 was used to launch over 50,000 actual or attempted attacks against targets around the world.
The FBI's pre-Christmas 2018 crackdown succeeded in slashing the overall number of DDoS attacks globally by 11%, and average attack size by as much as 85% percent in Q4 last year.
However, Nexusuard and others at that time warned about a rebound in booter services due to the strong and growing demand for them in the cyber underworld. The latest numbers appear to confirm that expectation. "The resurgence of DDoS-as-a-service and the growing botnets reinforce the evolving cyber threat of DDoS attacks for enterprises and communications service providers," Nexusguard said in the report Monday.
The same pattern has played out numerous times over the years. Law enforcement authorities in the US and other countries have taken down major underground marketplaces and dismantled organized groups engaged illicit activities online, only to see others swiftly replace them.
The recent takedown of the xDedic marketplace for stolen servers, for instance, and the similar shutdowns of AlphaBay and Hansa Market in 2017, represented huge wins for law enforcement. Yet the malware and other hacking tools and services once available on these sites now are sold on smaller, decentralized sites and other avenues.
- Inside the FBI's Fight Against Cybercrime
- DDoS Attack Size Drops 85% in Q4 2018
- Feds Make New Arrest in Darkode Case
- 7 Recent Wins Against Cybercrime