Monday is still the busiest day of the week for DDoS attacks, with Thursday replacing Tuesday as the second most-active day.
According to Kaspersky Lab’s DDoS intelligence report covering the first quarter of 2016, 74 countries were targeted by DDoS attacks, with China, South Korea and the the United States as the top three most-targeted countries. There was slight drop in the percentage of attacks targeting resources in the U.S.
SYN, TCP and HTTP were the top three most-popular DDoS attack methods in Q1.
Most botnet attacks are launched from Windows, 55.5 percent in Q1 2016, compared to 44.5 percent being Linux-based attacks. South Korea still has the most C&C servers, followed by China, “other,” U.S., Russia, a tie by Great Britain and the Netherlands, followed by France.
There was a decrease in Q1 for the longest DDoS attack; it lasted for 197 hours, or 8.2 days, compared to 333 hours, or 13.9 days, for the longest attack in Q4 2015. Seventy percent of attacks last for no more than four hours. The peak number of attacks in one day during Q1 was 1,272. There was an increase to 33 DDoS attacks on a single target.
Although the largest ever confirmed DDoS attack was in 2015 at 450-500 Gbps, the report suggested the record was topped this year by attacks on Donald Trump’s election campaign site. Unconfirmed sources clocked the DDoS attack at 602 Gbps.
One interesting aspect of the report deals with DDoS attacks on security companies, and it wasn’t the part about firms specializing in countering DDoS attacks having frequently been hit by them. It was the fact that cyber thugs are attacking IT security company websites as a “test bed, i.e. to test new methods and tools.” Taking what it has learned into account, Kaspersky then predicted future trends for DDoS.
Trends for DDoS attacks
Although there were slightly fewer amplification attacks, “their maximum strength has increased fourfold.” UDP amplification attacks are described as relatively easy for cyber thugs to perform. They can be “very powerful with a relatively small bonnet,” and detecting the source can be “extremely difficult,” but Kaspersky said “they will gradually disappear.” ISP and security companies have become so good at combatting these attacks that amplification attacks on a Data Link Layer are increasingly less effective and less profitable for criminals.
Instead, the “cream of the cybercriminal community” are returning to attacks at the application-layer. Kaspersky Lab said it combatted more HTTP(s) attacks in Q1 than during the entirety of 2015. Kaspersky said application-layer attacks, as well as multi-layer attacks using hardware with app-layer attacks, will continue to grow.
The report states:
To execute application-layer attacks on web services, large botnets or several high-performance servers and a wide output channel are required, as well as thorough preparatory work to study the target and find its vulnerabilities. Without this, they are ineffective. If the application-layer attack is carried out properly, it is difficult to counter it without blocking access to legitimate users—malicious requests look authentic and every bot faithfully fulfills the connection procedure. The only anomaly is the high demand for the service. We registered these sorts of attempts in the first quarter. This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them.
Moreover, there is a real danger of these methods being used by cybercriminals en masse—the more popular the technique, the more tools are offered for it on the black market. And if application-layer attacks really do become widespread, we should expect to see a growth in the number of customers for this type of DDoS attack and more competent attackers.
The report touched on the Linux Mint Cinnamon hack, when the ISO was modified by an attacker with malicious code used in DDoS attacks, as well the continued use of pingback attacks on WordPress. If a WordPress site has enabled the pingback function, it can “attract the attention of cybercriminals and helps perform DDoS attacks at the application layer.”
Additionally, cyber thugs are more frequently using the DNSSEC protocol to carry out DDoS attacks. The report explained, “The protocol is intended to minimize DNS spoofing attacks, but besides the domain data, a standard DNSSEC reply also contains additional authentication information. Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes. Attackers exploit this feature to perform amplification DDoS attacks. They usually use domains in the government zone .gov, because in the U.S. such domains are required by law to maintain DNSSEC.”
Kaspersky concluded, “With the spread of vulnerable devices and workstations and the abundance of configuration drawbacks at the application level, the cost of a significant attack is going down. Therefore, reliable protection is needed to ensure these attacks are financially unviable for the criminals.”