Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2020
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

DDoS Attacks Nearly Double Between Q4 2018 and Q4 2019

Peer-to-peer botnets, TCP reflection attacks, and increased activity on Sundays are three DDoS attack trends from last quarter.

The number of distributed denial-of-service (DDoS) attacks nearly doubled between the fourth quarter of 2018 and fourth quarter of 2019, researchers found in a new study of DDoS trends.

Last quarter brought an increase in the number of attacks relative to the third quarter of 2019, Kaspersky Labs researchers report, and attacks also lasted longer. This was expected, they said, as the fourth quarter is often a period of "retail warfare," driving cybercrime between October and December. The end of 2018 was "very calm" and set an expectation for a 2019 increase. However, researchers did not notice a spike in DDoS activity around Black Friday or Christmas.

DDoS attackers continued to leverage non-standard protocols for amplification attacks in the last quarter of 2019, researchers found. Adversaries have also adopted Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. This tactic was first spotted in June 2019; by October, attacks were widespread.

The fourth quarter of 2019 brought multiple high-profile DDoS attacks, including threats against financial organizations in South Africa, Singapore, and nations across Scandinavia. DDoS attacks aimed to cause disruption for the United Kingdom's Labour party and also targeted Minecraft servers at the Vatican. In a more recent case, just last week the FBI warned of a potential DDoS attack targeting a state-level voter registration and information site.

"This demonstrates that DDoS is still a common attack method among cybercriminals driven by ideological motives or seeking financial gain, and organizations should be prepared for such attacks and have a deep understanding of how they evolve," researchers said in a statement.

Other notable findings include a rise in "smart" DDoS attacks that focus on the application layer and are launched by skilled attackers. Researchers saw about 28% of DDoS attacks occurred on weekends. Sundays, in particular, proved popular, with 13% of attacks on this day of the week. While it may not seem significant, Sundays have historically been the quietest for DDoS activity and have been growing increasingly popular throughout 2019.

Researchers detected a growing number of peer-to-peer botnets in the past quarter; these operate independent of command-and-control servers and are more difficult to neutralize. One of these botnets, discovered by 360 Netlab researchers, is named Roboto and targets Linux servers. Another, Mozi, typically targets IoT devices and spreads using the DHT protocol.

Some adversaries continue to leverage proven tools and tactics in their DDoS attacks. In the fourth quarter of 2019, researchers saw a wave of TCP reflection attacks in which attackers send requests to legitimate services while appearing as the victim. The victim is overwhelmed with responses; as a result, the attackers' IP addresses don't show alerts.

While the duration of DDoS attacks may have slightly lengthened between the third and fourth quarters of 2019, Imperva data indicated a trend toward cheaper and shorter attacks overall. More than 51% of attacks lasted barely 15 minutes in 2019, and only 10% lasted between 15 to 30 minutes. Experts attribute the shift to more availability and use of DDoS-for-hire services, which let nearly anyone strike targets of their choosing with small attacks for as little as $5.

Researchers anticipate stability in DDoS attacks going forward. "Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth," they wrote in a blog post on their findings. "There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8996
PUBLISHED: 2020-02-16
AnyShare Cloud 6.0.9 allows authenticated directory traversal to read files, as demonstrated by the interface/downloadwithpath/downloadfile/?filepath=/etc/passwd URI.
CVE-2020-8997
PUBLISHED: 2020-02-16
Abbott FreeStyle Libre 14-day before February 2020 and FreeStyle Libre 2 before February 2020 allow remote attackers to enable write access via a specific NFC unlock command.
CVE-2020-7050
PUBLISHED: 2020-02-15
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies ...
CVE-2019-13965
PUBLISHED: 2020-02-14
Because of a lack of sanitization around error messages, multiple Reflective XSS issues exist in iTop through 2.6.0 via the param_file parameter to webservices/export.php, webservices/cron.php, or env-production/itop-backup/backup.php. By default, any XSS sent to the administrator can be transformed...
CVE-2019-13966
PUBLISHED: 2020-02-14
In iTop through 2.6.0, an XSS payload can be delivered in certain fields (such as icon) of the XML file used to build the dashboard. This is similar to CVE-2015-6544 (which is only about the dashboard title).