Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/24/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DDoS-for-Hire Services Doubled in Q1

Impact of FBI's takedown of 15 'booter' domains last December appears to have been temporary.

New data published this week demonstrates the troubling resilience of cybercriminals against mounting domestic and international efforts to stop them.

Nexusguard analyzed data gathered from multiple public and proprietary sources on distributed denial-of-service attacks during the first quarter of this year. The security vendor discovered that so-called booter websites offering DDoS services for hire more than doubled that quarter compared to the fourth quarter of 2018 - despite a major law enforcement crackdown on such sites in December.

DNS amplification attacks—one of the most popular booter services—soared 40% quarter-over-quarter amid uninterrupted demand among cybercriminals. Many of the DNS amplification attacks—where DNS servers are tricked into generating responses that are much larger than the original queries—targeted ISPs and telecommunications firms in Brazil.

Nexusguard's analysis also showed a continued trend toward what it calls bit-and-piece DDoS attacks, where threat actors contaminate a large and diverse pool of IP address with almost negligible sizes of junk traffic that converge and block a targeted IP.

Such attacks can be hard to mitigate because of the negligible size of the DDoS traffic being routed through each one of the hundreds of IP addresses used in an attack, says Donny Chong, product director of enterprise security solutions at Nexusguard. 

"This form of attack hurts the service providers the most as it threatens to congest a service provider's pipe and causes widespread collateral damage for anyone on this pipe," he says.

In the first quarter of this year, such attacks became more automated and targeted, indicating that attackers have figured out how to launch them optimally, Nexusguard said in its report.

The growing popularity of bit-and-pieces attack may have also contributed to DDoS attack sizes overall—both average and peak—decreasing last quarter, Chong says. The maximum DDoS attack size that Nexusguard observed in Q1 of 2019 was 145.4GBps—a nearly 55% drop year over year. Average attack size at 0.823Gbps was almost 95% smaller than in Q1 of 2018.

Meanwhile, the trend toward the use of mobile devices and mobile botnets in DDoS attacks continued in the first quarter of 2019. Nexusguard's data shows that more than six-in-10 DDoS attacks in Q1 targeted at the application layer originated from mobile gateways. The average duration of DDoS attacks involving mobile botnets was around 531 minutes, compared to 187 minutes last year. About 40% of DDoS attacks involving mobile devices originated from Android phones, while about 21% were from iOS devices, Nexusguard found.

"The resurgence of booters, the optimization of bit-and pieces and mobile sources overtaking desktop computers, are significant findings," Chong says. But they are not unexpected. "If anything, it's more a confirmation of the trend and evolution that we're seeing."

Booter Services Back With a Vengeance

The resurgence of booter sites in particular is notable. Last December, the FBI—in collaboration with international counterparts—seized 15 Internet domains associated with some of the world's largest DDoS-for-hire-services.

Among the seized domains was Downthem, which either carried out or attempted to carry out, around 200,000 DDoS attacks between 2014 and 2018. Another seized domain—Quantum Stresser—had some 80,000 subscribers dating back to 2012 that in 2018 was used to launch over 50,000 actual or attempted attacks against targets around the world.

The FBI's pre-Christmas 2018 crackdown succeeded in slashing the overall number of DDoS attacks globally by 11%, and average attack size by as much as 85% percent in Q4 last year.

However, Nexusuard and others at that time warned about a rebound in booter services due to the strong and growing demand for them in the cyber underworld. The latest numbers appear to confirm that expectation. "The resurgence of DDoS-as-a-service and the growing botnets reinforce the evolving cyber threat of DDoS attacks for enterprises and communications service providers," Nexusguard said in the report Monday.

The same pattern has played out numerous times over the years. Law enforcement authorities in the US and other countries have taken down major underground marketplaces and dismantled organized groups engaged illicit activities online, only to see others swiftly replace them.

The recent takedown of the xDedic marketplace for stolen servers, for instance, and the similar shutdowns of AlphaBay and Hansa Market in 2017, represented huge wins for law enforcement. Yet the malware and other hacking tools and services once available on these sites now are sold on smaller, decentralized sites and other avenues.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.