Findings from a recent study should make network administrators concerned. The DDoS Trends Report for the second and third quarters of 2017 indicates that the number of distributed denial of service (DDoS) attacks have been rapidly increasing. The report is based on data gathered through Corero customers.
About a year after the DDoS attack on Dyn’s DNS servers, one of the biggest ever, DDoS attacks are still rising in frequency. One finding really surprises me: targets experienced an average of 3.6 DDoS attacks per day in the fourth quarter of 2016, with an average total of 328 attacks during that time period.
For the third quarter of 2017, targets faced an average of 8 attacks per day, with an average total of 710 attacks during that time period. That means DDoS attacks have more than doubled in frequency in less than a year. That’s certainly cause for concern.
DDoS Attack Duration is Getting Shorter
Catch them while you can, because the report finds that individual DDoS attacks are getting smaller in magnitude and duration.
In the fourth quarter of 2016, 5% of mitigated attacks averaged over 5GB in magnitude, 18% averaged between 1 and 5GB, and 79% averaged below 1GB. But in the third quarter of 2016, 4% of mitigated attacks averaged over 5GB in magnitude, 15% averaged between 1 and 5GB, and 81% averaged below 1GB.
The smaller magnitude of DDoS attacks correlate to a decrease in duration. In the fourth quarter of 2016, 17% of attacks were between 6 and 10 minutes, and 57% of attacks lasted 5 minutes or less. Compare that to the third quarter of 2017. For that period, 13% of attacks were between 6 and 10 minutes, and 58% of attacks lasted 5 minutes or less.
Service Flood Attacks are the New Black
The report finds that cyber attackers are gradually switching how they conduct DDoS attacks as well. Service Flood DDoS attacks are designed to overwhelm their targets’ bandwidth, whereas Multi-Vector DDoS attacks hit multiple network vectors in a manner to evade detection by traditional IT security measures.
There are different types of Service Flood attacks depending on which sort of packets they use. There are GET floods, SYN floods, UDP floods, ACK floods, TCP floods, reset floods, and DNS query floods. All this talk of floods makes me wish I had a proper pair of rain boots!
In the second quarter of 2017, 39% of recorded attacks were Service Floods, and 20% were Multi-Vector attacks. In the third quarter of 2017, attack methods have shifted. Only 15% of attacks were Multi-Vector, and 41% of attacks were Service Floods.
The Return of Ransom Denial of Service Attacks
Recent WannaCry, NotPetya, and Locky campaigns have put ransomware at the top of everyone’s minds in 2017, but there’s another kind of cyberattack that also involves ransoms - Ransom DoS (RDoS) – and the study finds that they’re making a comeback.
The Phantom Squad attack group triggered a wave of RDoS attacks in September. The report says that RDoS attacks are targeting a variety of industries: software-as-a-service (SaaS) providers, the financial sector, internet hosting providers, and online gaming services.
What Does this All Mean?
DDoS attacks are getting shorter in duration, but are greatly increasing in frequency. That’s bad news, because frequent short attacks do can more harm than less frequent and longer attacks. Internet reliability can depend on fractions of a second, and greater attack frequency means more work for network administrators and security practitioners.
Additionally, DDoS attacks are often used to distract IT professionals in order to allow attackers the cover they need to conduct other more nefarious types of attacks, such as network infiltration, data theft, and malware infection.
One of the major causes of the increase in DDoS attack frequency is the rise of IoT-based botnets. The growth in IoT devices provides cyber attackers with a lot more hosts for zombie botnet malware, which are then leveraged through command and control servers.
Botnets are a common means for DDoS attacks, and IoT devices becoming more common has created a lot of opportunity for attackers. Reaper is an example of how destructive IoT botnet malware is getting, and network administrators should be on alert.
About Kim Crawley
Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.
The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.