DDoS Attacks More Than Doubled in a Year, Akamai Says
The nature of DDoS attacks is changing, Akamai finds, with attacks using non-secure home routers and office devices to inundate a victim with data becoming rapidly popular.Distributed denial-of-service (DDoS) attacks have more than doubled in the past year, with a shift to a new type of attack that uses non-secure home routers and office devices to inundate a target with data, Internet-infrastructure firm Akamai stated in a report released on May 19. The Q1 2015 State of the Internet Security Report found that while eight "mega-attacks" exceeded more than 100G bps in bandwidth, the average attack sent less than 10M bps toward targets, but did so for at least a day. Last year, attackers typically used higher bandwidth floods, but only inundated victims for hours. Many of the attacks are fueled by abuse of the Simple Service Discovery Protocol, or SSDP, which allows Universal Plug and Play (UPnP) devices to configure themselves within home and small-office environments. Attackers can abuse the protocol to amplify the bandwidth sent to a target by up to 30 times. While that type of data flood was unheard of a year ago, it now makes up more than 20 percent of all attacks, Akamai stated in the report. "You see attackers researching and learning about protocols that are particularly vulnerable, and a lot of these are protocols where the designers did not consider them in an adversarial environment," Eric Kobrin, director of information security at Akamai, told eWEEK.
The changes in the denial-of-service (DoS) arena show how quickly attackers can adapt. Last year, reflection techniques using the Network Time Protocol were common, increasing attack bandwidth by up to 300 times, but such data floods were fairly easy to block. SSDP attacks—first seen by Akamai in July 2014—can make use of at least 4 million UPnP devices that are accessible from the Internet and vulnerable to abuse. SSDP attacks rose 117 percent in the first quarter of 2015, compared with the same period last year.