Distributed denial-of-service (DDoS) attacks have more than doubled in the past year, with a shift to a new type of attack that uses non-secure home routers and office devices to inundate a target with data, Internet-infrastructure firm Akamai stated in a report released on May 19.
The Q1 2015 State of the Internet Security Report found that while eight “mega-attacks” exceeded more than 100G bps in bandwidth, the average attack sent less than 10M bps toward targets, but did so for at least a day. Last year, attackers typically used higher bandwidth floods, but only inundated victims for hours.
Many of the attacks are fueled by abuse of the Simple Service Discovery Protocol, or SSDP, which allows Universal Plug and Play (UPnP) devices to configure themselves within home and small-office environments. Attackers can abuse the protocol to amplify the bandwidth sent to a target by up to 30 times. While that type of data flood was unheard of a year ago, it now makes up more than 20 percent of all attacks, Akamai stated in the report.
“You see attackers researching and learning about protocols that are particularly vulnerable, and a lot of these are protocols where the designers did not consider them in an adversarial environment,” Eric Kobrin, director of information security at Akamai, told eWEEK.
The changes in the denial-of-service (DoS) arena show how quickly attackers can adapt. Last year, reflection techniques using the Network Time Protocol were common, increasing attack bandwidth by up to 300 times, but such data floods were fairly easy to block. SSDP attacks—first seen by Akamai in July 2014—can make use of at least 4 million UPnP devices that are accessible from the Internet and vulnerable to abuse. SSDP attacks rose 117 percent in the first quarter of 2015, compared with the same period last year.
“Not only is this attack easy for malicious actors to execute, but the number of vulnerable reflectors does not appear to be diminishing,” the report stated. “There were millions of vulnerable reflectors when [we] first released our advisory” in September.
Attacks using SSDP, so-called SYN floods and UDP floods were the three most common types, making up half of all the attacks that Akamai saw, according to the report. Computers in China were the greatest sources of DoS attacks, accounting for more than 23 percent of sources. Germany and the United States accounted for the second and third greatest number of sources.
Attackers focused heavily on gaming companies in the first quarter of the year, with more than a third of attacks targeting online gaming firms and console makers. Software and technology firms were the targets in a quarter of data floods.
The sustained number of high-bandwidth floods—nine in the fourth quarter of 2014 and eight in this year’s first quarter—is a concern, even if they are still rare, Akamai researchers stated. A year ago, Akamai detected a single attack exceeding 100 Gbps in bandwidth.
“Security researchers are concerned about what the attackers may be able to accomplish by this time next year,” the report stated. “Also troubling is the fact that employing the current attack techniques has not required much skill.”
Akamai also warned that the Internet community’s relative lack of expertise with IPv6 (Internet Protocol version 6), the replacement protocol for the IPv4 addressing on the current Internet, will likely open doors for attackers to create new methods of exploitation and DoS opportunities.
“A new set of risks and challenges associated with the transition to IPv6 are now affecting cloud providers as well as home and corporate network owners,” the report stated.