Thought leadership. threat analysis, news and alerts.
Amazon Records 2.3 Tbps DDoS Attack, Largest To Date
Amazon recently revealed that it detected and mitigated the largest distributed denial-of-service (DDoS) attack to date, targeting one of Amazon Web Services (AWS) customers.
In the "AWS Shield Threat Landscape Report – Q1 2020", Amazon said its threat protection service called "AWS Shield" detected and mitigated a DDoS attack in one of AWS customers with a previously unseen volume of 2.3 Tbps (terabytes per second). TBps refers to a data transmission rate equivalent to 1,000 gigabytes or 1,000,000,000,000 bytes per second.
In March 2018, NETSCOUT Arbor reported that it detected and mitigated the previous record holder for the largest DDoS attack which peaked at 1.7 Tbps, an attack targeted at a customer of a U.S. based service provider. The 1.7 Tbps DDoS attack came just heels after the previous record holder of the largest DDoS attack – an attack that specifically targeted GitHub in February 2018.
The AWS DDoS Attack
In a DDoS attack, multiple computers act as one unit to attack one target. Attackers often hijack and take control of vulnerable computers for the purpose of DDoS attacks by taking advantage of the security vulnerabilities or misconfigurations on these computers.
According to Amazon, the DDoS attack that targeted one of the company's AWS customers "caused 3 days of elevated threat during a single week in February 2020 before subsiding". Amazon said that the unnamed DDoS attacker or attackers utilized an amplification technique that takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP) in launching the DDoS attack.
CLDAP is a cross-platform protocol and often used on Microsoft Active Directory networks to retrieve server information. From October 2016 to January 2017, Akamai reported that it detected and mitigated a total of 50 CLDAP reflection attacks, 33 of which exclusively used CLDAP reflection.
On January 7, 2017, Akamai said it detected and mitigated the largest DDoS attack using CLDAP reflection as the sole vector at the time, reaching peak bandwidth of 24 gigabytes per second (GBps), and peak packets per second of 2 million packets per second. Akamai added that the CLDAP protocol allows DDoS attacks to amplify 56 to 70 times.
"The query payload is only 52 bytes ...," Akamai said regarding thisJanuary 7, 2017 CLDAP reflection DDoS attack. "This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x, although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x."
The DDoS attack detected and mitigated by NETSCOUT Arbor and the DDoS attack on GitHub in 2018, meanwhile, were launched by taking advantage of internet-exposed Memcached protocol – a general-purpose distributed memory-caching system. Attack vectors of the topmost DDoS attacks are often used by DDoS-for-hire services in launching DDoS attacks.
In the case of the DDoS attack on GitHub, the amplification factor reached up to 51 times, which means that for each byte sent by the DDoS attacker, up to 51KB is sent toward the target. At the time of the GitHub DDoS attack, Shodan – a search engine that allows users to find specific types of computers connected to the internet using filters – reported 88,000 internet-exposed memcached servers.
In 2018, DDoS-for-hire services took advantage of the close to 100,000 memcached servers exposed to the internet. Since 2016 also, DDoS-for-hire services have been taking advantage of exposed CLDAP protocol.
In taking advantage of vulnerable computers with higher amplification or reflection factor, significant attack bandwidth can be produced with fewer compromised computers. Taking advantage of servers using CLDAP protocol and memcached protocol for reflection/amplification DDoS attacks work the same by sending spoofed requests to a vulnerable server, which then responds with a larger amount of data than the initial spoofed request, amplifying the volume of traffic.
Preventive and Mitigating Measures Against DDoS Attacks
DDoS attacks that are taking advantage of the CLDAP protocol start with servers that are exposed to the internet with port 389 open and listening. DDoS attackers simply scan the internet for these open port 389 and add these to a list of amplifiers or reflectors.
Don't be a part of the bigger DDoS reflection/amplification problem. If your organization doesn't need the CLDAP protocol, close this DDoS amplification egress by not exposing this protocol to the internet, that is, by blocking port 389. In the case of DDoS attacks taking advantage of exposed memcached servers, one of the prevented measures in preventing attackers in hijacking memcached servers for DDoS attacks is by disabling UDP.
Most often, however, DDoS attacks don’t reach the terabyte. According to Amazon, most of the DDoS events involving CLDAP protocol in the first quarter of 2020 was 43 Gbps.
While many DDoS attacks are non-terabyte attacks, such attacks still disrupt normal business operations and denying legitimate users access to victims’ IT infrastructure. Imperva’s 2019 Global DDoS Threat Landscape Report showed that most DDoS attacks were short, with 51% lasting less than 15 minutes. While most DDoS attacks were short, Imperva reported that the vast majority of DDoS attacks were persistent and aimed at the same targets. “Attackers either launched DDoS assaults in short streaks – two-thirds of targets were attacked up to five times – or were ultra-persistent, with a quarter of targets attacked 10 times or more,” Imperva reported.
DDoS Attacks Accelerate Amid the COVID-19 Pandemic, Reports Show
Since the start of the global COVID-19 pandemic, reports show that distributed denial of service (DDoS) attacks have accelerated.
A report from NETSCOUT Arbor showed that DDoS attack count and bandwidth have all seen significant increases since the start of the global COVID-19 pandemic. From March 11th to April 11th of 2020, NETSCOUT reported that it observed more than 864,000 DDoS attacks – the single largest number of DDoS attacks that the organization had seen over any other 31-day period to date.
The number of DDoS attacks during the March 11th to April 11th of 2020, NETSCOUT Arbor said surpassed that of the DDoS count during the December 2019 holiday period which peaked at 751,000. From November 11th of 2019 to March 11th of 2020, NETSCOUT Arbor reported that it observed an average of 735,000 DDoS attacks per month.
According to NETSCOUT Arbor, while terabit-class DDoS attacks make the headlines, the most significant DDoS-related metric goes to the sheer amount of bandwidth (bps) and throughput (pps) consumed by DDoS attacks. From March 11th to April 11th of 2020, NETSCOUT Arbor reported that it observed a whopping 1.01 pbps and 208 gpps of aggregate DDoS attack traffic. This aggregate DDoS attack traffic, NETSCOUT Arbor said represents a 14% increase in attack bps and a 31% increase in attack pps.
Imperva’s March 2020 Cyber Threat Index Report, meanwhile, revealed that for the month of March 2020, DDoS attacks on financial, food and beverage industries across multiple countries spiked amid the COVID-19 pandemic. According to Imperva, websites in the food & beverage industry experienced more attacks, with 6% increase in DDoS attacks.
DDoS attacks in the food & beverage industry in Germany, Imperva reported, spiked by 125%. Earlier, on March 19, 2020, Takeaway.com, one of the leading online food delivery marketplace that connects consumers and restaurants in several European countries, including Germany reported that one of its websites was under DDoS. Jitse Groen, Founder and CEO of Takeaway.com revealed via Twitter that the DDoS attacker or attackers demanded 2 bitcoins (valued nearly USD 14,000 at the time of the demand) for the DDoS attack to stop. The attackers also threatened to launch a DDoS attack on the company’s other website.
Imperva added that it also observed an increased volume of DDoS attacks on the financial industry globally, with 3% increase. DDoS attacks in the financial industry in Italy (+44%), UK (+21%) and Spain (+18%) were notably larger, Imperva said.
“With attacks on the rise in the food and beverage and financial services industries, companies need to employ effective security strategies to balance the new load of traffic to their websites and mitigate new risks,” Nadav Avital, head of security research at Imperva, said.
Biggest DDoS Attack Ever Recorded
On February 28, 2020, GitHub – a website that allows software developers to store and manage their software code – was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a DDoS attack.
According to GitHub, the DDoS attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. The DDoS attack peaked at 1.35Tbps via 126.9 million packets per second, GitHub said.
GitHub added that the DDoS attackers specifically used the memcached-based approach. Cloudflare describes memcached DDoS this way: “A memcached distributed denial-of-service (DDoS) attack is a type of cyber-attack in which an attacker attempts to overload a targeted victim with internet traffic. The attacker spoofs requests to a vulnerable UDP memcached server, which then floods a targeted victim with internet traffic, potentially overwhelming the victim’s resources. While the target’s internet infrastructure is overloaded, new requests cannot be processed and regular traffic is unable to access the internet resource, resulting in denial-of-service.”
DDoS Protection Amid the COVID-19 Pandemic
COVID-19 was declared by the World Health Organization (WHO) as a pandemic on March 11, 2020. Since then, quarantine sites in many parts of the world were ordered, giving the global community a new normal: staying at home. As people are mandated to stay at home, online communication has become a lifeline for many people to work, shop and study online.
With the rise of internet traffic, organizations can mistakenly believe that all traffic comes from legitimate sources. Not all internet traffic, however, come legitimate sources as an increase in internet traffic could be a sign of a DDoS attack.
Signs of a DDoS attack resemble that of a typical legitimate internet traffic, including unusually slow in opening a file or accessing a website; unavailability of a website; or inability to access a website. DDoS campaigns can last from minutes to hours, while others can go on for months and even for years.
It’s important to be able to distinguish between a legitimate traffic from a DDoS attack. At the outset, malicious traffic can be detected and identified via firewall or intrusion detection system. Signs of malicious network traffic include traffic from an unusual geographical location or suspicious IP addresses.
It’s also important to note that DDoS attacks could simply be a simple diversionary tactic used by attackers to hide their main intention of conducting other malicious activities in your organization’s network.
Speak with our experts today to mitigate the DDoS risks. Protect you most valuable assets and keep cybercriminals at bay.
DDoS Attacks Are Getting Smaller, Shorter & More Persistent, Study Shows
A recent study released by Imperva showed that DDoS attacks are getting smaller, shorter and more persistent – a trend that shows that attackers are hoping to cause great damage before the activation of DDoS mitigating measures.
What Is DDoS Attack?
DDoS, short for distributed denial-of-service, is a type of cyber-attack in which multiple computers operate together as one to attack a target, for instance, a particular website.
Attackers typically use botnets to carry out DDoS attacks. A botnet is a group of internet-connected computers that are hijacked by malicious actors. These hijacked computers are then controlled by attackers as one “zombie army” to attack a chosen target.
There are two general types of DDoS attacks, the network layer attack and application layer attack. In network layer DDoS attacks, malicious actors “clog the pipelines” connecting to the target network, resulting in severe operational damages, such as account suspension. In application layer DDoS attacks, malicious actors flood a target application with seemingly innocent requests, resulting in high CPU and memory usage leading to the eventual hanging or crashing of the targeted application.
In network layer DDoS attack, the attack is measured by gigabits per second (Gbps) or packets per second (PPS), while in application layer DDoS attack, the attack is measured by requests per second (RPS). Most mid-sized websites can be crippled by 50 to 100 RPS application layer DDoS attacks, and most network infrastructures can be shut down by 20 to 40 Gbps network layer DDoS attacks.
Prevalence of DDoS Attacks
“Overall, we saw attacks that were smaller, shorter, and more persistent,” Imperva said in the company’s 2019 Global DDoS Threat Landscape Report. The company said that this trend “may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in”.
Imperva reported that most DDoS attacks in 2019 were short, with 51% lasting less than 15 minutes. The report also showed that DDoS attacks in 2019 were conducted in short streaks, with two-thirds of targets attacked up to five times and a quarter of targets attacked 10 times or more.
Imperva added that while the norm of DDoS attacks in 2019 was small, the company recorded the largest network layer DDoS attack and application layer DDoS attack. The company said it recorded a network layer DDoS attack that reached 580 million packets per second (PPS), and a separate application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS).
According to Imperva, the top attacked industries in 2019 were games (35.92%), gambling (31.25%), computers and internet (26.51%), business (3.37%) and finance (2.95%); while the top attacked territories were India (22.57%), Taiwan (14.79%), Hong Kong (12.23%), Philippines (11.36%) and United States (8.73%). In 2019, Imperva said application layer attack requests overwhelmingly came from the Philippines and China. The company, however, noted, “Those source origination points were notedly the location of the machines used to carry out the attacks, not necessarily the location of the attackers themselves.”
The Role of Botnets
Imperva’s analysis of the largest application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS) showed that most of the IPs had the same opened ports: 2000 and 7547. The Mirai botnet has been known to target IoT devices exposed to the internet via TCP port 2000 and 7547.
The Mirai botnet was first observed in the wild in 2016. This botnet hijacked IoT devices via factory default usernames and passwords. The release of the Mirai’s source code on September 30, 2016 resulted in the development of new versions of Mirai, with some versions targeting different vendors of IoT devices and some adding new functionalities.
The DDoS attack on the domain name service (DNS) provider Dyn on October 21, 2016 was attributed to the Mirai botnet. The DDoS attack on Dyn resulted in temporarily bringing down America’s top websites such as Twitter, Netflix and Reddit.
In the 4th quarter of 2019, researchers at 360 Netlab reported 2 new botnets: Roboto and Mozi. In November 2019, 360Netlab researchers reported that Roboto attacks Linux servers via CVE-2019-15107, a security vulnerability in the Webmin remote administration application. While Roboto has DDoS capability, the researchers said, there’s no evidence yet that a DDoS attack has been launched by this botnet.
In December 2019, researchers at 360 Netlab reported that Mozi attacks IoT devices, exploiting a handful of security vulnerabilities, including CVE-2014-8361, a security vulnerability in Realtek routers that allows remote attackers to execute arbitrary code, and CVE-2018-10562, a security vulnerability in GPON routers in which the router saves ping results, enabling attackers to execute commands and retrieve their outputs.
While a typical DDoS botnet operates using a command-and-control (C2) server – a computer controlled by an attacker to send malicious commands to infected computers, both Roboto and Mozi rely on peer-to-peer (P2) networks. In P2 networks, decentralized networks of infected computers or “bots” communicate with one another, instead of communicating with a centralized command-and-control server.
The of use P2 networks by cyber criminals isn’t a new thing. For years, attackers have used P2 networks from stealing data to sending malicious commands. P2 networks have been used by attackers to evade the efforts to take down C2 servers. Authorities such as the FBI and technology companies have had success in shutting down botnets that rely on C2 servers to steal data or send malicious commands. By taking down a C2 server, the zombie army or hijacked computers are rendered useless.
Would you like to learn more and see how to protect your organization and mitigate DDoS attacks in under 10-minutes, with no hardware or software to buy or install?
Recent DDoS Attacks Leverage TCP Amplification
A recent report from Radware showed that attackers over the past month have been leveraging TCP amplification in launching distributed denial-of-service (DDoS) attacks.
What Is TCP Amplification?
TCP amplification is one of the lesser-known ways attackers perform DDoS attacks. In a DDoS attack, multiple computers are operating together to attack a particular target, for instance, a website.
TCP is a set of rules that’s applied whenever computers connected to the internet try to communicate with one another, enabling them to transmit and receive data. With TCP, connection is only established with a three-way-handshake, also known as SYN, SYN-ACK, and ACK. During the three-way-handshake, the IP addresses of both communication parties are veriﬁed via random sequence numbers.
1. SYN (Synchronize)
This first handshake happens when computer X, for instance, sends a message containing a random sequence number to another computer, let’s call this computer Z.
2. SYN-ACK (Synchronize-Acknowledge)
This second handshake happens when computer Z responds via an acknowledgment number and a random sequence number.
3. ACK (Acknowledge)
This third handshake happens when computer X completes the connection setup by sending a ﬁnal acknowledgment to computer Z via a sequence number and acknowledgment number.
Ampliﬁcation DDoS attack, meanwhile, refers to an attack in which an attacker doesn’t directly send trafﬁc to the ultimate target but rather sends spoofed network packets to a large number of devices, also known as reflectors or ampliﬁers. Attackers often use ampliﬁers that send back responses that are significantly larger than the requests, resulting in an increased or ampliﬁed attack volume. TCP was initially thought to be immune from amplification attacks due to its three-way-handshake.
TCP’s vulnerability to amplification attacks was reported back in 2014. In the paper “Exit from Hell? Reducing the Impact of Ampliﬁcation DDoS Attacks”, researchers at Ruhr-University Bochum demonstrated that even with the three-way-handshake TCP is still vulnerable to ampliﬁcation DDoS attacks. According to the researchers, TCP is vulnerable to ampliﬁcation DDoS attacks as SYN/ACK segments are resent until connection is successfully established, connection times out, or connection is manually closed.
Resending of SYN/ACK segments, the researchers said, overloads the capacity of the victim’s network. “In face of ampliﬁcation attacks, this is problematic, as the client’s IP address is not validated until the handshake is complete,” the researchers said.
In this 2014 study, the researchers showed that hundreds of thousands of devices, mostly business and consumer routing devices, were vulnerable to be abused for ampliﬁcation DDoS attacks as these devices repeatedly sent up to 20 SYN/ACK packets in response.
In the follow-up paper "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", researchers at Ruhr-University Bochum identified thousands of TCP-based protocols that allow amplification of factor 50 times and higher. In this follow-up paper, the researchers also identified more than 4.8 million devices vulnerable to an average ampliﬁcation factor of 112 times. They also identiﬁed thousands of devices that can be abused for ampliﬁcation up to a factor of almost 80,000 times, reﬂecting more than 5,000 packets within 60 seconds and causing a serious impact on a victim’s network.
From the viewpoint of the attackers, the researchers said, abusing TCP brings multiple beneﬁts as there are millions of potential TCP ampliﬁers out there and ﬁxing them is an “infeasible operation”. According to the researchers, the root cause of the ampliﬁcation DDoS attacks is IP address spooﬁng which "enables attackers to specify arbitrary targets that are ﬂooded with reﬂected trafﬁc”.
TCP Amplification Attacks + Carpet Bombing
Radware reported that last month, European sports gambling website Eurobet experienced TCP amplification attacks that lasted for nearly 30 days. Radware also reported that last month, Turkish financial services company Garanti experienced TCP amplification attacks.
In the case of TCP amplification attacks on Garanti, Radware said, "In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
According to Radware, TCP amplification attacks are combined with a technique called “carpet bombing”. Carpet bombing attack is a type of DDoS attack where instead of focusing the attack on a single IP, random IP addresses of the victim’s network are attacked. Radware reported that over the last few months, carpet bombing has been used in a number of attacks against South African internet service providers (ISPs).
Impacts, Preventive and Mitigating Measures
By leveraging carpet bombing technique, attackers increase the attack surface; and by leveraging TCP amplification, attackers increase the hit rate onto the victim’s services. For now, however, carpet bombing has been predominantly used against ISPs.
While the recent TCP amplification attacks targeted large organizations, the victims of these attacks also include small organizations and homeowners who owned devices used for the TCP amplification attacks. As the main targets of TCP amplification attacks were overwhelmed by traffic and suffered outages as a consequence, the devices used in the TCP amplification attacks – those that processed the spoofed requests and legitimate replies from the main target of the DDoS – also experienced spikes in traffic, resulting in outages.
IP blacklisting is one of the options in preventing DDoS attacks. In the case of TCP amplification attacks that rely on IP address spooﬁng, IP blacklisting has some pros and cons.
One of the disadvantages of IP blacklisting in TCP amplification attacks is that legitimate users could be affected by this blacklisting as malicious actors could mimic their IP address.
Speak with our expert team today and prevent and mitigate denial of service attacks with iron-clad guarantees. No equipment to purchase, install or maintain.
Schedule a consultation today and protect your organization.
Wikipedia and World of Warcraft Classic Targeted for DDoS Attacks
Distributed denial-of-service (DDoS) again made the headlines over the weekend with the attacks on the popular online encyclopedia Wikipedia and popular online role-playing game World of Warcraft Classic. These latest incidents show that malicious actors are continually targeting vulnerable devices and online services for DDoS attacks.
In a statement released last September 7, Wikimedia Foundation, said that Wikipedia was hit with a “malicious attack”, making the site inaccessible to site visitors in several countries for intermittent periods. Wikimedia Deutschland, meanwhile, outrightly called the attack as “DDoS attack”, announcing via its Twitter account that Wikimedia servers, on which Wikipedia is also hosted, are being “paralyzed by a massive and very broad DDoS attack”.
According to the report by the civil society group NetBlocks, Wikipedia became intermittently unavailable as of approximately 6:00 p.m. UTC September 6, 2019 and at 1:30 a.m. UTC, the attack extended to a near-total outage in the United States and much of the world, continuing up until 2:40 a.m. UTC.
Last September 7 also, Blizzard Entertainment, owner of the World of Warcraft Classic, via its Twitter account said, “Some online services continue to be impacted by a series of DDoS attacks which are resulting in high latency and disconnections.”
It isn’t yet confirmed whether the DDoS attacks on Wikipedia and World of Warcraft Classic are related. A Twitter account claiming responsibility on the DDoS attacks on Wikipedia and World of Warcraft Classic was taken down by Twitter.
DDoS Attacks Prevalence
Wikipedia and Blizzard Entertainment are no stranger to DDoS attacks. On May 15, 2019, NetBlocksreported that Wikipedia became temporarily unavailable internationally. NetBlocks said that its global internet observatory data showed that the incident wasn’t related to filtering or blocking, and was rather likely caused by a DDoS attack.
NetBlocks said that DDoS attacks are distinct from state filtering or blocking, as these attacks have broader international impact but typically last for short periods. Wikipedia is totally blocked in Turkey, is varyingly restricted in China, and was briefly filtered in Venezuela early this year.
In August 2017, meanwhile, Blizzard Entertainmentreported another set of DDoS attacks on its networks. No person or group has taken responsibility for the 2017 DDoS attacks on Blizzard Entertainment and May 2019 incident on Wikipedia.
Real-time gaming networks have been favorite DDoS targets by malicious actors. In August 2014, Sony’s PlayStationnetworks were taken offline as a result of a DDoS attack. The threat group called “Lizard Squad” claimed responsibility over the Sony’s PlayStation networks DDoS attack.
KrebsOnSecurityreported that Lizard Squad controlled a botnet comprised of hacked home routers and commercial routers at universities and companies from around the globe. A botnet is a group of computers infected with the same malicious software (malware) and controlled by a threat actor or actors for the purpose of conducting malicious activities such as DDoS attacks. KrebsOnSecurity reported the botnet controlled by Lizard Squad group drew internet bandwidth from routers around the globe by exploiting the use of factory-default usernames and passwords.
The Mirai botnet, a much bigger botnet, which at its height controlled hundreds of thousands of IoT devices such as routers and CCTV cameras, brought down a big chunk of the internet for most of the U.S. east coast as a result of the DDoS attack on Dyn, an internet infrastructure company.
The recent Wikipedia DDoS attack, according to NetBlocks, is understood to have been amplified through insecure devices.
Prevention and Mitigation
In a DDoS attack, both the owners of computers or Internet of Things (IoT) devices and owners of targeted online services play an important role. IoT, such as routers, small as they are, are also computers. Owners of these devices, however, don’t view these devices like typical computers such as laptops, with many owners leaving these devices vulnerable to attacks by opting to use the default-factory login details.
The threat of DDoS attack is real as malicious actors have the technology to control not just IoT devices but ordinary computers as well. French authorities and antivirus solution provider Avastrecently took down the botnet called “Retadup”, which controlled nearly a million computers worldwide. It isn’t yet known how the Retadup malware initially infected these nearly one million computers.
In an ideal world, owners of IoT devices and internet-facing desktop or laptop computers have the responsibility to protect these computers from being used as an army for DDoS attacks by practicing basic cyber hygiene such as changing default-factory usernames and passwords and by applying the latest security updates.
DDoS protection is all the more important in organizations that rely on providing online services. While your organization may have no control over the cyber hygiene of other IoT devices, desktop and laptop users, your organization can undertake cyber security measures in order to mitigate the effects of DDoS attacks.
Mitigating measures against DDoS attacks are broadly categorized into do-it-yourself (DIY) methods, on-premise mitigation appliances and off-premise cloud-based solutions. DIY methods, such as manual IP blacklisting, is often a reactionary measure in response to a successful first DDoS attack that already caused hours of downtime.
On-premise mitigation appliances refer to hardware appliances deployed inside a network and placed in front of protected servers. Compared to DIY methods, on-premise mitigation appliances have advanced traffic filtering capabilities such as geo-blocking, rate limiting, IP reputation and signature identification.
Off-premise cloud-based solutions, meanwhile, offer virtually limitless scalability and don’t require investment in security personnel or expenses for DIY solutions and on-premise hardware.
Connect with our web application securityexperts and protect your mission critical infrastructure in less than 10-minutes.
Largest DDoS Attack by Packet Volume Unleashed
Cybersecurity software company Imperva recently uncovered the largest distributed denial-of-service (DDoS) attack by packet volume.
According to Imperva, in early January, this year, the company’s DDoS protection service mitigated a DDoS attack against one of its clients which unleashed more than 500 million packets per second. This DDoS attack unleashed the most packets per second ever recorded.
What Is Packets Per Second (PPS)?
Packets per second (PPS) measures the forwarding rate – referring to the number of network packets that can be processed by networking equipment such as a router. Forwarding rate is often confused with throughput rate, also known as bandwidth.
Throughput rate refers to the amount of data that can travel through your internet connection. While forwarding rate is measured by PPS, throughput rate is measured by bits per second (bps) or Gigabits per second (Gbps).
In layman’s terms, throughput rate can be likened to the weight capacity of an elevator, while the forwarding rate can be likened to the maximum number of people permitted inside the elevator. Similar to humans, network packets come in different sizes and shapes. Similar to the difficulty of knowing how many people will fit into an elevator due to the differences in sizes and shapes, there are no real means of knowing how many network packets make a gigabit.
Protocol DDoS Attacks versus Volumetric DDoS Attacks
For years, DDoS protection service providers and clients have focused on throughput attacks, also known as volumetric DDoS attacks or bandwidth-intensive attacks. Forwarding attacks, also known as protocol DDoS attacks or PPS attacks, meanwhile, are given less attention.
Protocol DDoS Attacks
Protocol DDoS attack is a type of attack that goes after server resources directly. This type of attack is measured by packets per second (PPS). If the packets-per-second rate is large enough, the server will crash.
One of the ways by which attackers crash servers in a protocol DDoS attack is through syn flood. In a syn flood DDoS, an attacker exploits part of the normal TCP three-way handshake, consuming resources on the targeted server and rendering it unresponsive.
TCP, which stands for transmission control protocol, refers to the protocol which defines how computers send packets of data to each other. The attacker in syn flood DDoS sends TCP connection requests faster than the targeted computer can process them, causing network saturation.
According to Imperva, the syn flood DDoS that the company’s DDoS protection service mitigated in early January, this year was “augmented by a large syn flood (packets of 800-900 bytes)”. Imperva added, “The source ports and addresses of the traffic sent to our customer’s server were highly randomized and probably spoofed.”
Volumetric DDoS Attacks
In a volumetric DDoS attack, an attacker sends voluminous traffic to a site to overwhelm its bandwidth. The DDoS attacks proliferated by Mirai are examples of volumetric DDoS attacks.
Mirai is a malicious software (malware) that infects computers, in particular, internet of things (IoT) devices such as routers, using factory default login and password combinations. The first version of Mirai infected hundreds of thousands of IoT devices using factory default login and password combinations.
Once infected with Mirai malware, these compromised IoT devices are then turned into a botnet – an army of infected IoT devices controlled by an attacker or attackers to conduct malicious activities such as DDoS attacks. The creator of Mirai made the source code of this malware publicly available, enabling others to use this malware for their own means.
According to the UK National Crime Agency (NCA), Daniel Kaye from Egham, Surrey operated his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out DDoS attacks on Lonestar, the largest Liberian internet provider. The NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia in November 2016. A UK court recently sentenced Kay to 2 years and 8 months for this cybercrime.
Another way by which attackers launch volumetric DDoS attack is through memcached – a database caching system for speeding up websites and networks. Memcached isn’t supposed to be exposed to the public internet. Arbor Networks, however, reported on February 27, 2018 that many memcached had been deployed worldwide with no authentication protection, leaving them vulnerable for attackers to exploit.
On February 28, 2018, popular code repository GitHubreported that its site was unavailable for few minutes as a result of a memcached-based DDoS attack which peaked at 1.35Tbps via 126.9 million packets per second.
Memcached attack works by sending spoofed requests to vulnerable servers. These vulnerable servers then respond with a larger amount of data than the spoofed requests, magnifying the volume of traffic.
Unlike Mirai which needs to infect vulnerable devices, DDoS attacks using the memcached approach only need to spoof the IP address of their victim and send small queries to multiple memcached servers. According to Akamai, memcached can have an amplification factor of over 500,000, which means that a 203 byte request results in a 100 megabyte response.
How to Prevent DDoS Attacks
While PPS and bandwidth-intensive DDoS attacks are both highly destructive or damaging to victims, in terms of mitigation, these two differ.
In the case of the GitHub DDoS attack, while it was considered as the largest DDoS attack ever at the time, which peaked at 1.35Tbps; the unleashed packets per second, meanwhile, was only 126.9 million – 4 times lesser than the volume of packets in the recent DDoS attack uncovered by Imperva.
"For a DDoS protection or mitigation service, mitigating a high PPS attack can be its Achilles heel, while a bandwidth-intensive attack can be much easier to handle, even with hundreds of gigabits per second, if it is composed of a smaller number of large-sized packets,” Imperva said.
The Driz Group is Imperva’s partner and can help your organization to mitigate DDoS attacks in a matter of minutes. Contact ustoday and protect your infrastructure and sensitive information.
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
A UK court recently sentenced to 2 years and 8 months 30-year-old Daniel Kaye for operating the Mirai botnet, which resulted in cutting off the internet access of the entire country of Liberia.
Kaye pleaded guilty in carrying out intermittent Distributed Denial of Service (DDoS) attacks on the Liberian telecommunications provider Lonestar MTN. According to Kaye, he was hired by a rival Liberian network provider and paid a monthly retainer to conduct intermittent DDoS attacks on Lonestar.
According to theUK National Crime Agency (NCA), from September 2016, Kaye started operating his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out intermittent DDoS attacks on Lonestar. In November 2016, the NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia.
The intermittent DDoS attacks on Lonestar, the NCA added, resulted in revenue loss of tens of millions in US dollars as customers left the network, and cost the company approximately 600,000 USD for remedial cost to prevent the attacks from happening again.
What Is a Mirai Botnet?
Mirai is a malicious software (malware) that infects Internet of Things (IoT) devices, such as video cameras, and turns these infected IoT devices into a botnet – referring to a group of infected computers that’s operated under the control of a cybercriminal to conduct malicious activities such as DDoS attacks.
Mirai first came to public attention on September 20, 2016, when it attacked Brian Krebs’ security blog. The DDoS attack on Krebs’ security blog was considered one of the largest on record at the time. By the end of September 2016, just days after the DDoS attack on Krebs’ security blog, the author of Mirai, using the name “Anna Senpai”, released the source code of Mirai on an online hacking forum. Anna Senpai claimed that 380,000 IoT devices had been infected by the Mirai malware and formed part of the botnet that took down Krebs’ website.
The Mirai source code reveals that this malware continuously scans the internet for IoT devices that use any of the 61-factory default username and password combinations. While 62 username and password combinations are listed on the Mirai source code, there’s one duplication, leaving only 61 unique username and password combinations.
Given that many owners of IoT devices didn’t bother to change factory default usernames and passwords combinations, the Mirai malware easily infected hundreds of thousands of IoT devices and turned them as a botnet for DDoS attacks.
The publication of the Mirai source code on an online forum encouraged other cybercriminals to copy the code and operate their respective Mirai botnets. Following the publication of the Mirai source code, a series of high-profile DDoS attacks were attributed to Mirai botnets.
On October 21, 2016, Mirai brought down a big chunk of the internet on the U.S. east coast. Dyn, an internet infrastructure company, was a subject a DDoS attack that subsequently rendered popular websites inaccessible to the public. Dyn, in a statement, said that a significant volume of DDoS attack traffic originated from Mirai botnets. To date, the perpetrator of the Dyn DDoS attack remains unknown and no case has been filed against anyone in relation to this attack.
In addition to Lonestar DDoS attacks, Kaye also admitted to launching DDoS attacks using his own Mirai botnet on Deutsche Telekom that affected 1 million customers in November 2016. Kaye was extradited to Germany for this crime but only received a suspended sentence.
Three college-age friends in late 2017, Paras Jha, Josiah White and Dalton Norman, pleaded guilty before a U.S. court in creating the Mirai malware. Jha, in particular, pleaded guilty in launching multiple DDoS attacks using Mirai on Rutgers University computer system, resulting in the shutting of the University’s server used for all communications among faculty, staff and students.
Jha, White and Norman dodged jail. Jha, in particular, was ordered by a New Jersey court to pay $8.6 million in restitution and serve 6 months of home incarceration for launching DDoS attacks on the Rutgers University computer network.
The U.S. Department of Justice, in a statement, said that Jha, White and Norman’s involvement with the Mirai ended when Jha posted the Mirai source code on an online forum. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
The publication of a source code of a malware has two sides. First, it encourages script kiddies – those who attempt to launch cyberattacks using scripts or codes written by others, such as in the case of Mirai. Many script kiddies, using the original Mirai source code, have been able to build their own DDoS botnets and offer the service called “DDoS-for-hire”.
Second, the flipside of making a malware source code public is that this enables the cybersecurity community to study the code and develop tools and advisories that could render this malware inoperable or useless.
There are currently available security tools that block DDoS attacks coming from Mirai botnets. Also, a simple change of factory default username and password combinations can prevent IoT devices from being infected by the Mirai malware and, in effect, could prevent DDoS attacks.
Cybercriminals are, however, relentless in their campaigns. Since the publication of the Mirai source code, cybercriminals have tweaked the Mirai source code, for instance, infecting not just IoT devices, but enterprise servers as well. Attackers also don’t simply use factory default login details in infecting computer devices, but also exploit known security vulnerabilities.
New Mirai Variant Hijacks Enterprise Linux Servers for DDoS Attacks
Researchers at Netscout have discovered a new variant of Mirai – a malicious software (malware) once known for hijacking hundreds of thousands of Internet of Things (IoT) devices, including wireless cameras, routers and digital video recorders, to conduct powerful distributed denial-of-service (DDoS) attacks.
Instead of infecting IoT devices, researchers at Netscoutsaid that the new Mirai variant infects non-IoT devices, in particular, enterprise Linux servers running Apache Hadoop YARN, to serve as DDoS bots.
The original Mirai malware, at its peak, infected hundreds of thousands of IoT devices, controlling these infected IoT devices as botnet to conduct high-impact DDoS attacks. Botnet refers to a group of computers controlled by attackers without the knowledge and consent of the owners to conduct malicious activities, including DDoS attacks. In a DDoS attack, the botnet or controlled computers act in unison, flooding the internet connection of a target, for instance, a particular website.
The original Mirai first came to public attention when it launched a DDoS attack against the website of journalist Brian Krebson September 20, 2016. A few days after, on September 30, the source code of Mirai was publicly released on the English-language hacking community Hackforums by a user using the screen name “Anna-senpai”.
Paras Jha, 22, the person behind Anna-senpai, pleaded guilty for co-creating Mirai. According to the U. S. Department of Justice, from December 2016 to February 2017, Jha along with his 2 college-age friends Josiah White and Dalton Norman, admitted that they successfully infected more than 100,000 IoT devices, such as home internet routers, with Mirai malware and used the hijacked IoT devices to form a powerful DDoS botnet.
Since the public release of the source code of Mirai, a number of Mirai variants have been created and released into the wild. According to Netscout researchers, this latest Mirai variant “is the first time we’ve seen non-IoT Mirai in the wild”.
How the Latest Mirai Variant Works?
To deliver the latest Mirai variant, attackers exploit the security vulnerability of Apache Hadoop YARN.
Apache Hadoop is an open source software framework that enables a cluster or group of computers to communicate and work together to store and process large amounts of data in a highly distributed manner. Meanwhile, YARN, which stands for Yet Another Resource Negotiator, is a key feature of Hadoop that helps in job scheduling of various applications and resource management in the cluster.
According to Netscout researchers, the latest Mirai malware will exploit unpatched Linux servers running on Apache Hadoop YARN, and will attempt to brute-force – attacks that systematically attempt to guess the correct username and password combination – the factory default username and password of the Hadoop YARN server.
DemonBot Vs. Latest Mirai Variant
Researchers at Radwaredetected last month another malware called “DemonBot” that infects Hadoop clusters by leveraging YARN’s unauthenticated remote command execution.
The main similarity between DemonBot and the latest Mirai variant is that both malware exploit the Hadoop YARN security vulnerability in order to infect computers. Both malware programs also turn infected computers as botnet for the purpose of launching DDoS attacks.
Enterprise Linux servers running Apache Hadoop YARN infected by DemonBot and the latest Mirai variant are dangerous as these servers account for large volumes of DDoS traffic.
The main difference between DemonBot and the latest Mirai variant is that DemonBot spreads only via central servers and doesn’t expose worm-like behavior exhibited by Mirai variants. Mirai’s worm-like behavior – its ability to spread itself within networks without user interaction – makes it a more dangerous malware than DemonBot.
According to Radware researchers, as of late October, this year, attackers attempted to exploit the Hadoop YARN vulnerability to deliver the DemonBot at an aggregated rate of over 1 million per day.
Original Mirai Vs. Latest Mirai Variant
According to Netscout researchers, the latest Mira variant behaves much like the original Mirai. This means that both have worm-like behavior and enslaves infected computers for the purpose of launching DDoS attacks.
The main difference between the original Mirai and the latest Mirai variant is that while the original Mirai runs on IoT devices, the latest Mirai variant runs on Linux servers, in particular, those running Apache Hadoop YARN.
“Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots,” researchers at Netscout said. ”A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.”
According to Netscout researchers, there are tens of thousands of attempts per day to exploit the Hadoop YARN vulnerability to deliver the latest Mirai variant.
The risk of further cyberattacks is high for machines infected by malware like Mirai. To prevent attackers from hijacking your organization’s Linux servers running Apache Hadoop YARN for DDoS attacks, make sure to configure your YARN’s access control by using strong username and password combination.
Also, keep all your organization’s software up-to-date and prevent brute-force attacks by implementing an account lockout policy. For instance, after a certain number of failed login attempts, the account is locked out until an administrator unlocks it.
By leveraging the security vulnerability in enterprise Linux servers running Apache Hadoop YARN, attackers can generate much powerful DDoS attacks. Protect your organization’s online resources like websites from DDoS attacks by using an easy to use, cost-effective and comprehensive DDoS protection.
Contact us today if you need assistance in protecting your organization’s network from malware like Mirai and protecting your organization’s online resources from DDoS attacks.
New Botnet Launches DDoS Attacks from Linux Computers
Researchers at SophosLabs have discovered a new botnet that launches a distributed denial-of-service (DDoS) attack from compromised Linux servers and IoT devices.
What is a DDoS Botnet?
A botnet is a collection of computers compromised by a malicious software (malware) and controlled as a group without the owners' knowledge to conduct illegal activities, including DDoS attacks.
In a DDoS attack, hijacked or compromised computers are controlled as a group to attack a particular target, for instance, to overwhelm a particular website with traffic to render the site inaccessible to legitimate users. By leveraging the use of a botnet, attackers can carry out large-scale DDoS attacks.
DDoS attacks don’t just target websites. They also target servers (web, email, DNS, file), web apps, banking, trading and e-commerce platforms, and VoIP systems.
Latest DDoS Botnet
SophosLabs researchers called the latest DDoS botnet that they’ve discovered “Chalubo”. The researchers said they first observed Chalubo in the wild in late August this year. On the 6th of September 2018, SophosLabs researchers said they first recorded how Chalubo works via a honeypot, a decoy computer system used in tracking new hacking methods.
According to the researchers, Chalubo attacks SSH servers, a software program used to remotely access Linux operating systems. There are currently a variety of Chalubo botnet versions for different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL and PowerPC.
Chalubo attackers gain access to a computer by using publicly known default and common username and password combinations. Once the attackers gain access to a computer, it issues commands that retrieve the Elknot, also known as Linux/BillGates malware, a notorious DDoS botnet family that runs on both Linux and Windows operating systems. Elknot, in turn, delivers the rest of the Chalubo botnet package.
This recently reported DDoS botnet incorporates the code of two other notorious DDoS botnets, the Mirai botnet and Xor.DDoS botnet.
In December last year, 3 college-age friends pleaded guilty for creating the Mirai botnet. According to the U.S. Department of Justice, the Mirai botnet, at its peak, consisted of hundreds of thousands of compromised IoT devices used to launch DDoS attacks.
Xor.DDoS botnet, meanwhile, was first observed in the wild in 2015. This botnet hijacks Linux computers for DDoS attacks. While Mirai uses 62 default username and password combinations to gain access to a computer or device, Xor.DDoS uses common or weak username and password combinations.
Chalubo, in particular, uses some of Mirai’s randomizing functions and what appears to be an extended form of the util_local_addr function. Chalubo also uses Xor.DDoS’ DelService & AddService functions, as well as Chalubo’s script gets dropped exactly in the same manner as Xor.DDoS. While Chalubo copies a few code snippets of Mirai and Xor.DDoS, it’s a different botnet taken as a whole, researchers at SophosLabs said.
“The majority of functional code in this bot is entirely new, with a focus on their own Lua handling for, primarily, performing DoS attacks with DNS, UDP, and SYN flavours,” SophosLabs researchers said. “The Lua script built into the bot is a basic control script for calling home to a C2 [command-and-control] server to inform the C2 about details of the infected machine.”
Chalubo’s Lua script communicates with the command-and-control server – a computer that’s controlled by attackers – to receive further instructions. The purpose of the script is to download, decrypt and then execute whatever the script finds.
Chalubo's main components, dropper (the Elknot), main bot and Lua script, are encrypted using the ChaCha stream cipher in an effort to prevent detection. SophosLabs researchers observed that Chalubo triggered the infected computer to conduct a DDoS attack against a single Chinese IP address over port 10100, without masking the local source IP.
According to SophosLabs researchers, the creator or creators of Chalubo botnet may be at the end of testing their botnet and we may see an increase in activity from this new botnet.
A DDoS botnet negatively impacts the hijacked computers. In a similar manner, a DDoS attack negatively impacts a target.
Here are a few signs that the computer in your organization may be a part of a botnet:
-Computer fan kicks into overdrive even when it’s idle
-It takes a long time to shut down the computer or it won’t shut down properly
-Computer programs and internet access are slow
Here are some security measures to prevent attackers from turning the computers in your organization as part of the Chalubo, Mirai or Xor.DDoS botnets:
-Change default and common username and password combinations as these botnets hunt computers using default and common or weak username and password combinations
-In the case of the Chalubo botnet, use SSH keys instead of passwords for logins
-Keep all your software up-to-date
On the part of the DDoS botnet target, a successful DDoS attack against a website, server, e-commerce platform or VoIP system negatively impacts the target’s reputation and damages existing client relationships.
DDoS botnets can be prevented from attacking online resources by regularly monitoring traffic and by conducting a DDoS testing – called in the cybersecurity field as penetration or pen testing.
By monitoring the traffic of your organization’s online resources, abnormal and suspicious traffic can be flagged early on. In DDoS testing, simulated DDoS attacks are conducted against the online resources of your organization to check if they can withstand real DDoS attacks.
Contact ustoday if you need assistance in preventing attackers from hijacking your organization’s computers as part of a DDoS botnet or if you want assistance in protecting your organization’s online resources from DDoS attacks.
Most Universities at Risk of DDoS Attacks
The recent distributed denial of service (DDoS) attack on the online services of the Scotland-based University of Edinburgh adds to the growing list of universities hit by DDoS attacks.
Last September 10th, University of Edinburgh’s online services, including wireless services, websites and many online student services were disrupted for several hours as a result of a DDoS attack. The attack was done during the busy “Welcome Week” period of the university.
“I apologise for the disruption to this service, particularly during the busy Welcome Week period,” Gavin Ian McLachlan Chief Information Officer at the University of Edinburgh, said in a statement. “I realise how frustrating this must have been.”
DDoS Attacks on Colleges and Universities: Who, When and Why
A recent study conducted by Jisc provides a picture of who may be launching these DDoS attacks, in particular, on UK’s colleges and universities based on the specific time these attacks were done.
Jisc is a UK not-for-profit company that offers internet service via the Janet Networkto UK research and education community, including the University of Edinburgh.
Jisc said, “there is evidence both circumstantial and from the justice system to suggest that students and staff may well be responsible for many of the DDoS attacks we see on the Janet Network.”
The Jisc study found that DDoS attacks on colleges and universities were usually done during school period and attacks dramatically decrease during holiday times, such as summer breaks, Christmas, Easter and May half term breaks.
“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle,” Jisc said. “Or perhaps the bad guys simply take holidays at the same time as the education sector. Whichever the case, there’s no point sending a DDoS attack to an organization if there’s no one there to suffer the consequences.”
Several students had been prosecuted in the past for attacking their colleges or universities. Adam Mudd, a student at West Herts College, pleaded guilty for launching DDoS attacks against his college; while Paras Jha, a student at Rutgers University, pleaded guilty for launching DDoS attacks against his university.
These college and university students don’t just target their own schools. In April 2017, Adam Mudd received a 2-year jail sentence for running “Titanium Stresser”, a DDoS-for-hire service that launched 1.7 million DDoS attacks against victims worldwide.
In December 2017, Jha with two college-age friends, pleaded guilty for creating the Mirai botnet – referring to the hundreds of thousands of IoT devices compromised by Jha’s group using 62 common default login details and using them as a botnet or zombie army to conduct a number of powerful DDoS attacks.
According to the U.S. Department of Justice, Jha’s involvement with the Mirai botnet ended when he posted the source code for Mirai on a criminal forum in the fall of 2016. In October 2016, internet infrastructure company Dyn became a target of DDoS attacks, which resulted in bringing down a big chunk of the internet on the U.S. east coast. The DDoS attacks against Dyn temporarily took offline major websites, such as Amazon, Twitter and Netflix. “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dynsaid in a statement.
The Jisc study also showed a significant decrease of DDoS attacks on the Janet Network starting in April 2018. Jisc theorized that this reduction of DDoS attacks could be a result of the Operation Power Off, a coordinated operation conducted by the Dutch Police and the UK’s National Crime Agency with the support of Europol and a dozen law enforcement agencies from around the world.
Operation Power Off took down the DDoS marketplace webstresser.org and resulted in the arrests of the site’s administrators located in the UK, Croatia, Serbia and Canada.
According to the European Union Agency for Law Enforcement Cooperation (Europol), webstresser.org was the world’s biggest marketplace to hire DDoS services, with 4 million recorded attacks as of April 2018.
For as low as EUR 15 a month, individuals with little to no technical knowledge launched crippling DDoS attacks via webstresser.org, the Europol reported.
Jisc said that beyond disgruntled college and university students and staff, there are far more serious criminal players at work that these institutions ignore at their peril.
Jisc added that some of these more sophisticated DDoS attacks are designed, not just to bring down an online service offline but also to steal intellectual property, targeting valuable and sensitive and information held at these educational institutions.
Preparing for DDoS Attacks
Here are some security measures that can fortify your organization’s IT defenses in case a disgruntled student, a staff or other criminal elements decide to launch a DDoS attack against your organization:
Look for abnormal incoming traffic, including sudden traffic rise and visits from suspicious IP addresses and geolocations. These could all be indicators that criminal elements are testing your organization’s IT defenses prior to conducting a crippling DDoS attack or attacks.
Consider conducting your very own DDoS attack against your organization’s IT infrastructure. This simulated cyberattack, known in the cybersecurity community as pen testing, can prepare your organization when the real DDoS attacks happen.
Contact us today if you need assistance in protecting your organization against DDoS attacks.
Steve E. Driz, I.S.P., ITCP