DDoS Targets, Motivations Evolve as Attack Volumes Hit New Peaks
In a quarter of cases, the attacks were used as a way to distract defenders from a more subtle attack, Arbor's Sockrider said. "We can talk about a lot of metrics, about the volume, bandwidth and size, but one of the big takeaways is that the respondents are finding that DDoS is being used for a smokescreen, to distract from other attacks or malware," he said. 2. Attackers continue to hunt for new vectors for reflection Reflection attacks continue to be a popular way to quickly boost attack traffic volumes. While attackers focused previously on vulnerable Network Time Protocol (NTP) servers as a way to amplify their DDoS attacks, in 2015, the protocol for discovering and configuring Universal Plug and Play devices—known as the Simple Service Discovery Protocol (SSDP)—became the popular way to amplify attacks. In August 2015, however, attackers returned to using the domain name system (DNS) to magnify their attacks."Attackers are scanning and finding weaknesses that they can exploit to amplify attacks," Akamai's Fernandez said. In its DDoS Intelligence Report for Q4 2015, Kaspersky Lab described three other sources of amplified traffic: NetBIOS name servers, domain controller services connected via a dynamic port and certain licensing servers. 3. Internet of things (IoT) provides new tools for attackers Servers and desktop computers are not the only sources of traffic that can be used to attack networks. In its report, Kaspersky Lab noted that a number of other devices can be used to launch DDoS attacks, including Internet-connected CCTV cameras and home routers. "The cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs, but also any other vulnerable resources that are available," Kaspersky Lab stated in its report. "These include vulnerable web applications, servers and IoT devices." 4. U.S. and China continue to be top targets The countries affected by attacks differ depending on the security firm collecting the data. According to Kaspersky, more than half of attacks targeted resources in China, almost a quarter targeted South Korean networks and about one in eight targeted resources in the United States. Arbor found that a third of attacks targeted the United States, 11 percent targeted China, and 6 percent each targeted France and South Korea. 5. Companies are better at mitigating attacks Despite the rise in attack types, companies are getting better are reducing the impact of denial-of-service attacks. More than three-quarters of service providers can mitigate DDoS attacks in 20 minutes or less, according to Arbor's report. "Internet service providers are on the front lines," Arbor's Sockrider said. "That really speaks to the fact that service providers have been doing this for a long time now, and they continue to hone their skills and improve their capabilities."
Different security firms identified different protocols as the most popular amplification vectors, yet NTP, SSDP, DOS and Chargen, which is a seldom-used protocol for generating byte streams—are currently the most popular.