There has been an increase in activity from old and new botnets, a growth in the popularity of amplification distributed denial of service (DDoS) attacks and the return of long-lasting (multi-day) DDoS attacks, a new report found.
After a short respite, long-lasting attacks proved to be back in the first quarter of 2018 with the longest DDoS attack lasting 297 hours (more than 12 days), according to Kaspersky Lab’s Q1 2018 DDoS Intelligence Report. The last time we saw a longer attack than this was at the end of 2015.
Overall in first quarter of 2018, DDoS botnets attacked online resources in 79 countries. The countries experiencing the largest number of attacks were once again China, the U.S. and South Korea, which all continue to lead in terms of the number of servers available to attackers as well as the number of sites and services hosted on them. Meanwhile, Hong Kong and Japan replaced the Netherlands and Vietnam among the top 10 most targeted countries during Q1.
The report also showed changes to the top 10 countries hosting the most command & control (C&C) servers with Italy, Hong Kong, Germany and the United Kingdom replacing Canada, Turkey, Lithuania and Denmark. These updates are most likely due to the number of active C&C servers of the Darkai (a clone of Mirai) and AESDDoS bots increasing dramatically, as well as the old Xor and Yoyo botnets resuming their activities. Although most of these botnets use Linux, the proportion of Linux-based botnets fell slightly in the first quarter of 2018 (66 percent) compared to the last quarter of 2017 (71 percent).
The end of the reporting period was marked by the Memcached floods that were unprecedented in terms of their power where in some cases exceeded 1TB.
Overall, the popularity of amplification attacks, which was previously on the decline, gained momentum in the first quarter of 2018. For example, Kaspersky Lab registered a rare type of attack, despite its effectiveness, in which the LDAP service was used as an amplifier. Along with Memcached, NTP and DNS, this service has one of the biggest amplification rates. However, unlike Memcached, LDAP junk traffic is barely capable of clogging the outgoing channel completely, making it more difficult for the owner of a vulnerable server to identify and remedy the situation.
“Exploiting vulnerabilities is a favorite tool for cybercriminals whose business is the creation of DDoS botnets,” said Alexey Kiselev, project manager on the Kaspersky DDoS Protection team. “However, as the first few months of the year have shown, it’s not only the victims of DDoS attacks that are affected, but also those companies with infrastructure that includes vulnerable objects. The events of the first quarter reaffirm a simple truth: The platform companies use to implement multi-layered online security must include regular patching of vulnerabilities and permanent protection against DDoS attacks.”
Click here to download the report.