Distributed Denial of Service (DDoS) attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques, a new survey said.
“Instead of using a network of zombie computers, the newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices,” said Stuart Scholly, senior VP and general manager of Security at Akamai, which conducted the survey that covered the first quarter. “We believe this approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.”
The most abused protocols are Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS). These protocols, all based on the User Datagram Protocol (UDP), end up used because they allow attackers to hide their identity. In addition, amplification-based attacks can deliver a massive flood of data at the target while requiring only a relatively small output from the source.
New reflection and amplification attack tools can be pretty powerful. The first quarter saw a 39 percent increase in average bandwidth and the largest-ever DDoS attack to cross the Prolexic DDoS mitigation network. This attack involved multiple reflection techniques combined with a traditional botnet-based application attack to generate peak traffic of more than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second).
This quarter saw more than half of the DDoS attack traffic aimed at the Media and Entertainment industry. This one industry ended up targeted by 54 percent of the malicious packets mitigated by Prolexic during active DDoS attacks in Q1.
Compared to Q1 2013:
• 47 percent increase in DDoS attacks
• 9 percent decrease in average attack bandwidth
• 68 percent increase in infrastructure (Layer 3 & 4) attacks
• 21 percent decrease in application (Layer 7) attacks
• 50 percent decrease in average attack duration: 35 vs. 17 hours
• 133 percent increase in average peak bandwidth
Compared to Q4 2013:
• 18 percent increase in DDoS attacks
• 39 percent increase in average attack bandwidth
• 35 percent increase in infrastructure (Layer 3 & 4) attacks
• 36 percent decrease in application (Layer 7) attacks
• 24 percent decrease in average attack duration: 23 vs. 17 hours
• 114 percent increase in average peak bandwidth
Innovation in the DDoS marketplace has given the bad guys tools that can create greater damage with fewer resources. Q1’s high-volume, infrastructure-based attacks are possible by the availability of easy-to-use DDoS tools from the DDoS-as-a-service marketplace. Hackers design these tools to deliver greater power and convenience into the hands of less skillful attackers.
For example, in Q1, NTP reflection attacks surged, likely due to the availability of easy-to-use DDoS attack tools that support this reflection technique. The NTP flood method went from accounting for less than 1 percent of all attacks in the prior quarter to reaching nearly the same popularity as SYN flood attacks, a traditional favorite among DDoS attackers. Neither CHARGEN nor NTP attack vectors ended up detected in Q1 2013 but accounted for 23 percent of all infrastructure attacks mitigated by Prolexic in Q1 2014.
Click here to register for the complete report.