DDoS Attacks Are Still Happening — and Getting Bigger

Distributed denial of service attacks have grown larger in scale, more sophisticated and harder to detect, according to three large technology vendors that have recently published analyses of attacks.

DDoS attacks, malicious streams of traffic that can take down a website and cause reputational and other damage to a company, were big news during the fall of 2012. A group called Izz ad-Din al-Qassam Cyber Fighters carried out a series of these attacks on U.S. banks' websites. Such exploits have not made the news much lately because few have been successful enough to bring down a bank's website for a noteworthy length of time.

This is partly because banks have invested in better DDoS mitigation technology and services, observers say. Another factor is that banks are being targeted less frequently — only about 10% of incidents. Gaming, technology and media companies have become more popular targets.

But attacks are still being launched against banks and other companies, and with greater force than ever, according to large information security providers such as Prolexic (which is now owned by Akamai), Verizon and Verisign. The three companies recently issued reports that shed light on the changing nature of DDoS attacks.

Close to 90% of the DDoS attacks conducted during the first half of 2014 were volumetric attacks, according to Rod Soto, senior security researcher at Akamai PLXsert. In other words, they sent high amounts of traffic to a website to overwhelm it and the company's network, so the site wouldn't work and the company couldn't serve its customers. (Eighty of the top 100 U.S. banks use his company's service, Soto said.)

One pattern Soto has observed in DDoS attacks on financial institutions is that they usually start at 9:00 a.m. EST and finish about 5:00 p.m. EST.

"Why? Because this will cause the most disruption possible and the media will pick it up," Soto said. "The effects of a successful DDoS campaign are amplified by the use and manipulation of the media." (By contrast, he said, attacks on casinos tend to occur in the late afternoon or at night, he said. They likely are carried out by rival casinos who want to keep customers away from competitors, Soto said.)

Typically, customers of a bank under attack will complain over social media that they can't access their bank's website.

"Attackers will purposely watch social media for signals that their target is failing," Soto said. "Then they will try to underline that. They will retweet it. Once the media picks up on that, it amplifies the perception of the actual attack."

Attackers will use media coverage as a validation that the attack was successful.

BIGGER, SHORTER ATTACKS

Most DDoS attacks are measured by the number of gigabytes of data hurled at a target each second. In the first quarter, Verisign observed an 83% increase in DDoS attack size over the previous quarter and a 6% increase from a year earlier, to 3.92 gigabytes per second. The Akamai/Prolexic study found peak bandwidth bombardment of 7.76 gigabytes per second in the second quarter, off from 9.7 gigabytes per second in the first quarter but close to double the average peak in the second quarter of 2013, 4.5 gbps.

"Over the last five years, attacks have increased in size, not only in the size of the packets but also the packets per second," said Christopher Porter, managing principal of the Verizon Cyber Intelligence Center.

At the same time, the duration of the typical attack has shortened, researchers say. According to the Akamai/Prolexic report, the average attack lasts 17 hours.

One reason for the increased size of these attacks is the use of "amplification" techniques.

In an amplification attack, an attacker sends multiple servers a communication that appears to come from the victim's IP address, and the response back is larger, sometimes thousands of times larger, than the original message.

"It causes all sorts of havoc, especially as it converges down to the intended victim," Porter said. "It is coming from several different service providers, and as it gets closer to the intended victim, the sizes of those attacks get to be large. So there's usually a lot of collateral damage in those types of attacks. It's not just the victim that gets hit, because the closest gateway router to them may have 100 customers sitting on it, and that whole router could get overwhelmed."

These types of attacks are not new. But researchers found more of them in the first half of this year than in previous years. Attackers also recently began manipulating Network Time Protocol servers, which are used to synchronize computers in a network, where previously they mainly used domain name servers.

"If you do that for a lot of open NTP servers out there, you can create some havoc," Porter said. Some organizations have begun scanning for open NTP servers and working with the servers' owners to change their configurations so they're not vulnerable to this type of attack.

DDoS perpetrators have also taken advantage of cloud-based services, such as the WordPress content management system, to improve the effectiveness of their attacks. Bloggers who use such services aren't always conscientious about upgrading their software. Attackers know this and take advantage by infecting the users' computers and making them part of their botnets — networks of compromised computers used to launch attacks.

And attackers continue to incorporate more powerful computers in their botnets.

"Several years ago, DDoS attacks were mostly botnets on desktops, and those desktops had limited bandwidth because they were using DSL lines or limited cable modems," Porter said. But a new breed of game-changing "brobots" harness compromised web servers sitting in data centers that have massive amounts of bandwidth and computing power.

As consumers get higher bandwidth Internet service at home, the potency of botnets using home computers will increase, Porter said.

DEEP POCKETS

DDoS attackers show increasingly adaptive behavior. They continuously monitor the effectiveness of their attacks while underway, and then change attack techniques to work around applied mitigation strategies.

"The attackers research the possible defenses the target has, and based on that they will craft their payload," Soto said.

Attackers have resources and skills that are not available to low-level criminals, he said. "There are indications, at least during the very large campaigns against financial institutions, that nation-states are behind them."

In the DDoS underground, the state-backed hackers who took down many banks' websites in the fall of 2012 during Operation Ababil were considered a great success, Soto said. This was largely because of the media attention they received, as well as the fact that they were able to announce a target and then take it down as promised. Other states have tried to imitate this behavior, Soto said.

"If you look at the Department of Homeland Security's 16 critical infrastructure sectors, financial services is one of them," Soto pointed out. "If you're able to exert enough damage, where people cannot do their operations, that's pretty bad, that could have a crippling effect and cause panic as well."

And the brobot used in the Al Qassam Cyber Fighters' Operation Ababil, once thought to be defeated, "has been surreptitiously maintained, in some cases by changing the names and locations of attack files on the hosts," the Akamai/Prolexic report stated. It's been used in two attacks this year.