Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/24/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DDoS-for-Hire Services Doubled in Q1

Impact of FBI's takedown of 15 'booter' domains last December appears to have been temporary.

New data published this week demonstrates the troubling resilience of cybercriminals against mounting domestic and international efforts to stop them.

Nexusguard analyzed data gathered from multiple public and proprietary sources on distributed denial-of-service attacks during the first quarter of this year. The security vendor discovered that so-called booter websites offering DDoS services for hire more than doubled that quarter compared to the fourth quarter of 2018 - despite a major law enforcement crackdown on such sites in December.

DNS amplification attacks—one of the most popular booter services—soared 40% quarter-over-quarter amid uninterrupted demand among cybercriminals. Many of the DNS amplification attacks—where DNS servers are tricked into generating responses that are much larger than the original queries—targeted ISPs and telecommunications firms in Brazil.

Nexusguard's analysis also showed a continued trend toward what it calls bit-and-piece DDoS attacks, where threat actors contaminate a large and diverse pool of IP address with almost negligible sizes of junk traffic that converge and block a targeted IP.

Such attacks can be hard to mitigate because of the negligible size of the DDoS traffic being routed through each one of the hundreds of IP addresses used in an attack, says Donny Chong, product director of enterprise security solutions at Nexusguard. 

"This form of attack hurts the service providers the most as it threatens to congest a service provider's pipe and causes widespread collateral damage for anyone on this pipe," he says.

In the first quarter of this year, such attacks became more automated and targeted, indicating that attackers have figured out how to launch them optimally, Nexusguard said in its report.

The growing popularity of bit-and-pieces attack may have also contributed to DDoS attack sizes overall—both average and peak—decreasing last quarter, Chong says. The maximum DDoS attack size that Nexusguard observed in Q1 of 2019 was 145.4GBps—a nearly 55% drop year over year. Average attack size at 0.823Gbps was almost 95% smaller than in Q1 of 2018.

Meanwhile, the trend toward the use of mobile devices and mobile botnets in DDoS attacks continued in the first quarter of 2019. Nexusguard's data shows that more than six-in-10 DDoS attacks in Q1 targeted at the application layer originated from mobile gateways. The average duration of DDoS attacks involving mobile botnets was around 531 minutes, compared to 187 minutes last year. About 40% of DDoS attacks involving mobile devices originated from Android phones, while about 21% were from iOS devices, Nexusguard found.

"The resurgence of booters, the optimization of bit-and pieces and mobile sources overtaking desktop computers, are significant findings," Chong says. But they are not unexpected. "If anything, it's more a confirmation of the trend and evolution that we're seeing."

Booter Services Back With a Vengeance

The resurgence of booter sites in particular is notable. Last December, the FBI—in collaboration with international counterparts—seized 15 Internet domains associated with some of the world's largest DDoS-for-hire-services.

Among the seized domains was Downthem, which either carried out or attempted to carry out, around 200,000 DDoS attacks between 2014 and 2018. Another seized domain—Quantum Stresser—had some 80,000 subscribers dating back to 2012 that in 2018 was used to launch over 50,000 actual or attempted attacks against targets around the world.

The FBI's pre-Christmas 2018 crackdown succeeded in slashing the overall number of DDoS attacks globally by 11%, and average attack size by as much as 85% percent in Q4 last year.

However, Nexusuard and others at that time warned about a rebound in booter services due to the strong and growing demand for them in the cyber underworld. The latest numbers appear to confirm that expectation. "The resurgence of DDoS-as-a-service and the growing botnets reinforce the evolving cyber threat of DDoS attacks for enterprises and communications service providers," Nexusguard said in the report Monday.

The same pattern has played out numerous times over the years. Law enforcement authorities in the US and other countries have taken down major underground marketplaces and dismantled organized groups engaged illicit activities online, only to see others swiftly replace them.

The recent takedown of the xDedic marketplace for stolen servers, for instance, and the similar shutdowns of AlphaBay and Hansa Market in 2017, represented huge wins for law enforcement. Yet the malware and other hacking tools and services once available on these sites now are sold on smaller, decentralized sites and other avenues.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.