There were nearly double the number of DDoS attacks this year and half of those used multi-vector attacks. There was a 200% increase in the number of 100Gbps-plus attacks from a year ago and each DDoS attack lasted 28% longer, according to analysis by Akamai's Prolexic Security Engineering and Research Team (PLXsert). DDoS-for-hire services are thriving, so much so, that it helped non-techie attackers launch attacks.
“An incredible number of DDoS attacks occurred in the fourth quarter, almost double what we observed in Q4 a year ago," said John Summers, vice president of Akamai’s Cloud Security Business Unit. Akamai said it mitigated nine attacks that exceeded 100 Gbps; there was a 52% percent increase in average peak bandwidth of DDoS attacks compared to Q4 2013.
More percentages and comparisons for Q4 2014 and Q4 2013 were published in Akamai Technologies Q4 2014 State of the Internet Security Report (pdf).
Akamai analysis found that UDP-based attacks were the most common, whereas the most utilized protocol for reflection tactics were NTP, CHARGEN and SSDP. Regarding the sharp 57% increase in DDoS attacks from a year ago, Dave Lewis, Global Security Advocate for Akamai Technologies, explained that one of the main reasons was a “241% increase in the number of attacks that leveraged SSDP floods.” He added:
What, might you ask, is SSDP? This stands for Simple Service Discovery Protocol. This is a service that can be used by attackers to reflect traffic against a target in a DDoS attack. Attackers can amplify the signal of their attack bringing a larger amount of attack traffic against the target than they could otherwise based on the volume of just attacking nodes. SSDP is commonly found in devices using Universal Plug and Play (UPnP). The largest attack that was witnessed in this instance was one that reached 106 Gbps of malicious traffic.
“This is an example of what can happen with poorly configured, or worse, devices with no security controls that are rolled out as a component of the Internet of Things (Iot),” Lewis added. “As the Internet of Things continues to increase we will see more opportunities for attackers to leverage devices to increase the size and scope of their botnets.”
US was the country responsible for the most DDoS traffic in Q4
The United States was the worst offender and Russia was the best when it comes to the 'whodunnit' department.
The US was named as the top source country responsible for DDoS traffic, 31.54%. China was next with 17.61%; together, the US and China responsible for nearly half of all attack traffic in Q4. Germany was next at 12%, followed by 11.69% from Mexico, 7.64% from France, 4.31% from India, 4.12% from Spain, 3.8% from the UK, 3.65% from Korea and 3.64% from Russia.
Gaming, then software and tech industries were the most attacked in Q4
Akamai said it mitigated the most DDoS attacks during the last two weeks of December; comparing the last week of December 2014 to the last week in 2013, there was 1,110% increase in attacks. The Christmas DDoS against Microsoft Xbox Live and the Sony PlayStation Network pushed the gaming industry to the top of most-attacked list. In fact, “the last four attacks that reached 100+ Gbps all targeted the gaming industry.” The Akamai report stated, “Another trend was the holding of networks hostage, where the owners were asked to pay a small ransom to stop a DDoS attack.”
While the gaming industry experienced 35.33% of all DDoS attacks in Q4, software and technology companies were the second most targeted industry and were hit with 26.58% of attacks. Although the percentage is less, software and technology industries that provide serious like cloud-based tech and Software-as-a-Service (SaaS) had the biggest surge in attack rates, up 7% from Q3.
Most targeted application layer in Q4
While 10.31% DDoS attacks targeted the application layer in Q4, infrastructure attacks made up 89.69% of all attack vectors.
“Attackers’ preference for volumetric infrastructure-based attacks may be due to ease of execution: Internet infrastructure is growing. Surging economies and millions of Internet-enabled devices are being added worldwide, making new resources available for exploitation, botnet building and DDoS attacks. Infrastructure-based attack resources are plentiful.”
DDoS-for-hire attack innovation
“DDoS-for-hire booter suites took a low-investment approach by tapping into reflection-based DDoS attacks,” stated the press release about Akamai Technologies Q4 2014 State of the Internet Security Report. About “40% of all DDoS attacks used reflection techniques, which rely on Internet protocols that respond with more traffic than they receive and do not require an attacker to gain control over the server or device.”
The market for DDoS-for-hire services sometimes referred to as stressors or booters “promoted multi-vector campaigns as the competitive market drove attack innovation.” There were 88% more multi-vector attacks this quarter than in Q4 2013. More than 44% of all attacks used multiple attack vectors.
“The expansion of the Internet infrastructure, the addition of millions of potentially exploitable Internet-enabled devices and the steady discovery and disclosure of signification vulnerabilities in web applications has driven mass exploitation and botnet building.” Those factors are expanding the “DDoS threatscape.” Looking forward, Akamai said a flourishing DDoS-for-hire market will result in “attack innovation.”
DDoS trends, Akamai said, will “include more attacks, the common use of multi-vector campaigns, the availability of booter services and the low cost of a DDoS campaign that can take down a typical business or organization. The expansion of the DDoS-for-hire market may result in the commoditization of DDoS attacks, where availability drives down prices, which grows the market. DDoS may become a common tool for even non-technical criminals.”