Distributed denial-of-service attacks used to be reserved as the not-so-subtle tool of vandals and hacktivists.
Increasingly, however, other actors are using DDoS attacks for a variety of ends. Criminals clog networks to demonstrate their capabilities and extort money from companies. Rogue gamers attack rivals to gain advantage in online arenas. In fact, criminal and online gaming- and gambling-related motivations topped the list of suspected reasons for DDoS attacks in 2015.
“It definitely points to how this is becoming more of a mainstream tool in hackers’ arsenals compared to the past when it was more often done as more of a nuisance or antagonistic way, rather for criminal gain,” Gary Sockrider, principal security technologist at Arbor Networks, told eWEEK.
The most recent data from Arbor and other companies shows an evolving picture of DDoS attacks. In its 11th Worldwide Infrastructure Security Report, Arbor Networks found that, in addition to changing motivations, the peak bandwidth of the most powerful attacks has increased, attackers are more likely to target specific applications and attacks against voice-over-IP (VOIP) services have increased.
The report surveyed IT and security professionals at Internet service providers, enterprises, government agencies and educational institutions on the denial-of-service trends witnessed by their organizations.
In a separate analysis, security firm Kaspersky Lab found that while the attacks targeted resources in 69 countries, just three nations—China, South Korea and the United States—accounted for more than 80 percent of all targets. In its latest State of the Internet report, Akamai found that the United Kingdom, China and the United States were the largest sources of attacks.
“It has been pretty dramatic, over the past year, how popular DDoS has become,” said David Fernandez, editor in chief of Akamai’s State of the Internet report.
Nor is it surprising that peak attack volumes increase in 2015. The largest attack peaked at 500G bps, according to Arbor. And, the longest attack lasted more than 15 days, according to Kaspersky.
“The volumetric stuff gets the headlines and big numbers are scary, but it’s not the whole story,” Sockrider said. “The only time I’m surprised by the big numbers is when they don’t get bigger.”
The average target has to deal with more modest threats. The average attack consumes less than 500M bps and lasts less than 30 minutes, according to Arbor’s data.
What does the future hold? Here are five trends to watch for in 2016, according to the data.
1. DDoS used for a greater variety of nefarious ends
In 2012, Internet service providers and companies targeted by DDoS attacks believed the largest proportion of attacks could be attributed to political and hacktivist attackers. In Arbor’s 2012 Worldwide Infrastructure Security Report, ideological and political motivations accounted for a third of attacks, online gaming-related attacks accounted for 31 percent and vandalism accounted for 27 percent.
In the latest report, Arbor found that 42 percent of respondents blamed attacks on criminals trying to demonstrate their capabilities, another 41 percent connected attacks to online gaming and 35 percent to extortion. (Respondents could choose more than one motivation, so they total more than 100 percent.)
DDoS Targets, Motivations Evolve as Attack Volumes Hit New Peaks
In a quarter of cases, the attacks were used as a way to distract defenders from a more subtle attack, Arbor’s Sockrider said.
“We can talk about a lot of metrics, about the volume, bandwidth and size, but one of the big takeaways is that the respondents are finding that DDoS is being used for a smokescreen, to distract from other attacks or malware,” he said.
2. Attackers continue to hunt for new vectors for reflection
Reflection attacks continue to be a popular way to quickly boost attack traffic volumes. While attackers focused previously on vulnerable Network Time Protocol (NTP) servers as a way to amplify their DDoS attacks, in 2015, the protocol for discovering and configuring Universal Plug and Play devices—known as the Simple Service Discovery Protocol (SSDP)—became the popular way to amplify attacks. In August 2015, however, attackers returned to using the domain name system (DNS) to magnify their attacks.
Different security firms identified different protocols as the most popular amplification vectors, yet NTP, SSDP, DOS and Chargen, which is a seldom-used protocol for generating byte streams—are currently the most popular.
“Attackers are scanning and finding weaknesses that they can exploit to amplify attacks,” Akamai’s Fernandez said.
In its DDoS Intelligence Report for Q4 2015, Kaspersky Lab described three other sources of amplified traffic: NetBIOS name servers, domain controller services connected via a dynamic port and certain licensing servers.
3. Internet of things (IoT) provides new tools for attackers
Servers and desktop computers are not the only sources of traffic that can be used to attack networks. In its report, Kaspersky Lab noted that a number of other devices can be used to launch DDoS attacks, including Internet-connected CCTV cameras and home routers.
“The cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs, but also any other vulnerable resources that are available,” Kaspersky Lab stated in its report. “These include vulnerable web applications, servers and IoT devices.”
4. U.S. and China continue to be top targets
The countries affected by attacks differ depending on the security firm collecting the data. According to Kaspersky, more than half of attacks targeted resources in China, almost a quarter targeted South Korean networks and about one in eight targeted resources in the United States. Arbor found that a third of attacks targeted the United States, 11 percent targeted China, and 6 percent each targeted France and South Korea.
5. Companies are better at mitigating attacks
Despite the rise in attack types, companies are getting better are reducing the impact of denial-of-service attacks. More than three-quarters of service providers can mitigate DDoS attacks in 20 minutes or less, according to Arbor’s report.
“Internet service providers are on the front lines,” Arbor’s Sockrider said. “That really speaks to the fact that service providers have been doing this for a long time now, and they continue to hone their skills and improve their capabilities.”