Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/24/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DDoS-for-Hire Services Doubled in Q1

Impact of FBI's takedown of 15 'booter' domains last December appears to have been temporary.

New data published this week demonstrates the troubling resilience of cybercriminals against mounting domestic and international efforts to stop them.

Nexusguard analyzed data gathered from multiple public and proprietary sources on distributed denial-of-service attacks during the first quarter of this year. The security vendor discovered that so-called booter websites offering DDoS services for hire more than doubled that quarter compared to the fourth quarter of 2018 - despite a major law enforcement crackdown on such sites in December.

DNS amplification attacks—one of the most popular booter services—soared 40% quarter-over-quarter amid uninterrupted demand among cybercriminals. Many of the DNS amplification attacks—where DNS servers are tricked into generating responses that are much larger than the original queries—targeted ISPs and telecommunications firms in Brazil.

Nexusguard's analysis also showed a continued trend toward what it calls bit-and-piece DDoS attacks, where threat actors contaminate a large and diverse pool of IP address with almost negligible sizes of junk traffic that converge and block a targeted IP.

Such attacks can be hard to mitigate because of the negligible size of the DDoS traffic being routed through each one of the hundreds of IP addresses used in an attack, says Donny Chong, product director of enterprise security solutions at Nexusguard. 

"This form of attack hurts the service providers the most as it threatens to congest a service provider's pipe and causes widespread collateral damage for anyone on this pipe," he says.

In the first quarter of this year, such attacks became more automated and targeted, indicating that attackers have figured out how to launch them optimally, Nexusguard said in its report.

The growing popularity of bit-and-pieces attack may have also contributed to DDoS attack sizes overall—both average and peak—decreasing last quarter, Chong says. The maximum DDoS attack size that Nexusguard observed in Q1 of 2019 was 145.4GBps—a nearly 55% drop year over year. Average attack size at 0.823Gbps was almost 95% smaller than in Q1 of 2018.

Meanwhile, the trend toward the use of mobile devices and mobile botnets in DDoS attacks continued in the first quarter of 2019. Nexusguard's data shows that more than six-in-10 DDoS attacks in Q1 targeted at the application layer originated from mobile gateways. The average duration of DDoS attacks involving mobile botnets was around 531 minutes, compared to 187 minutes last year. About 40% of DDoS attacks involving mobile devices originated from Android phones, while about 21% were from iOS devices, Nexusguard found.

"The resurgence of booters, the optimization of bit-and pieces and mobile sources overtaking desktop computers, are significant findings," Chong says. But they are not unexpected. "If anything, it's more a confirmation of the trend and evolution that we're seeing."

Booter Services Back With a Vengeance

The resurgence of booter sites in particular is notable. Last December, the FBI—in collaboration with international counterparts—seized 15 Internet domains associated with some of the world's largest DDoS-for-hire-services.

Among the seized domains was Downthem, which either carried out or attempted to carry out, around 200,000 DDoS attacks between 2014 and 2018. Another seized domain—Quantum Stresser—had some 80,000 subscribers dating back to 2012 that in 2018 was used to launch over 50,000 actual or attempted attacks against targets around the world.

The FBI's pre-Christmas 2018 crackdown succeeded in slashing the overall number of DDoS attacks globally by 11%, and average attack size by as much as 85% percent in Q4 last year.

However, Nexusuard and others at that time warned about a rebound in booter services due to the strong and growing demand for them in the cyber underworld. The latest numbers appear to confirm that expectation. "The resurgence of DDoS-as-a-service and the growing botnets reinforce the evolving cyber threat of DDoS attacks for enterprises and communications service providers," Nexusguard said in the report Monday.

The same pattern has played out numerous times over the years. Law enforcement authorities in the US and other countries have taken down major underground marketplaces and dismantled organized groups engaged illicit activities online, only to see others swiftly replace them.

The recent takedown of the xDedic marketplace for stolen servers, for instance, and the similar shutdowns of AlphaBay and Hansa Market in 2017, represented huge wins for law enforcement. Yet the malware and other hacking tools and services once available on these sites now are sold on smaller, decentralized sites and other avenues.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.