Emerging Trends in Global DDoS Attacks

By Prolexic’s Security Engineering & Research Team

The data in the Prolexic Global DDoS Attack Report for Q2 2014 shows that distributed denial of service (DDoS) attack activity and attack sizes have remained elevated throughout the first half of 2014. Compared to Q2 a year ago, DDoS attacks in Q2 2014 were shorter in duration but stronger in severity. Average attack bandwidth was up 72 percent, and peak bandwidth increased 241 percent. However, attack duration dropped significantly, averaging 17 hours per attack in Q2 2014 versus an average of 38 hours in Q2 2013. Such an outage is still bad for business; 17 hours of unmitigated downtime would be too long to tolerate in almost any industry.

Malicious actors were able to generate such large attack sizes by employing reflection and amplification techniques and by infiltrating vulnerable, but powerful, servers instead of PCs. When building server-side botnets, attackers have been targeting Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) vendors running software with known vulnerabilities. Additionally, by compromising web-based applications and platforms, attackers gained the advantage of hiding behind cloud vendors’ IP reputations.

Strengthened “Brobot” Poised to Return?

The financial services industry was targeted in 10 percent of all attacks in Q2. Fortunately, the financial sector did not experience many major DDoS attack campaigns in Q2. While the use of server-based botnets is on the rise, the itsoknoproblembro (Brobot) botnet, also based on server infection, lurks in the shadows. Attacks in Q2 provide indications that the Brobot botnet is still in place from its earlier use in the Operation Ababil attacks against financial institutions in 2011-2013. Attacks claimed by the Electronic Cyber Army (ECA) in Q2 appeared to use this same botnet to produce attacks, but with significantly more bandwidth and processing power than the earlier Operation Ababil attacks with similar payloads. For example, we have seen 190 Gbps peak volume for ECA attacks in 2014 versus 148 Gbps peak volume for Ababil attacks in 2011-2013.

Infrastructure Attacks Increase 46 Percent

Compared to Q2 last year, there was a 46 percent increase in infrastructure attacks. This was the dominant attack vector by a wider margin than ever. Application-layer attacks comprised only 11 percent of all DDoS attacks mitigated by Prolexic (now part of Akamai) in Q2 2014, significantly down from 25 percent in Q2 2013.

Reflection and amplification represented more than 15 percent of all infrastructure attacks in Q2. These attacks take advantage of the functionality of common Internet protocols and misconfigured servers. Network Time Protocol (NTP), Simple Network Management Protocol (SNMP), Domain Name System (DNS) protocol, and Character Generator (CHARGEN) are among the most frequently abused protocols.

Powerful Application-Layer Attacks

Although application-layer attacks only represented 11 percent of all attacks, many of these attacks were extremely powerful – making up in strength for what they lacked in number. These attacks are often used in concert with infrastructure attacks, pairing a layer 3 infrastructure attack with a layer 7 application attack, for example. Sixty-nine percent of all observed application attacks in Q2 targeted the HTTP GET command.

At a glance: Q2 2014 Compared to Q2 2013

Attack Mitigation

The mitigation of web vulnerabilities starts with monitoring and updating vulnerable server installations. It is only with the collaboration of all participants to develop, research, discover, and fix vulnerabilities that it will be possible to prevent future attack campaigns. Solving these problems can prevent attacks that could otherwise cause significant disruption to the financial services industry, other businesses, and governmental organizations.

This article employs data from the “Prolexic Quarterly Global DDoS Attack Report Q2 2014”, available at: www.stateoftheinternet.com/resources-web-security-2014-q2-global-ddos-attack-report.html

Through digital forensics and post-event analysis, the Prolexic Security Engineering & Research Team (PLXsert), provides a global view of security threats, vulnerabilities and trends. PLXsert, now part of Akamai, helps organizations to identify and mitigate security threats and vulnerabilities.

More than 350 financial institutions across the globe trust Akamai, the leading provider of cloud services for delivering, optimizing and securing web and mobile content and business applications. The Akamai Intelligent Platform™ provides unmatched reliability, security, and visibility supported by world-class expertise. Akamai removes the complexities of connecting the increasingly mobile world, and enables enterprises to securely leverage the cloud. www.akamai.com


Follow Us:

Sitemap | Privacy | Copyright © © 2017, WSTA®, All Rights Reserved.