Thought leadership. threat analysis, news and alerts.
DDoS Attacks Are Getting Smaller, Shorter & More Persistent, Study Shows
A recent study released by Imperva showed that DDoS attacks are getting smaller, shorter and more persistent – a trend that shows that attackers are hoping to cause great damage before the activation of DDoS mitigating measures.
What Is DDoS Attack?
DDoS, short for distributed denial-of-service, is a type of cyber-attack in which multiple computers operate together as one to attack a target, for instance, a particular website.
Attackers typically use botnets to carry out DDoS attacks. A botnet is a group of internet-connected computers that are hijacked by malicious actors. These hijacked computers are then controlled by attackers as one “zombie army” to attack a chosen target.
There are two general types of DDoS attacks, the network layer attack and application layer attack. In network layer DDoS attacks, malicious actors “clog the pipelines” connecting to the target network, resulting in severe operational damages, such as account suspension. In application layer DDoS attacks, malicious actors flood a target application with seemingly innocent requests, resulting in high CPU and memory usage leading to the eventual hanging or crashing of the targeted application.
In network layer DDoS attack, the attack is measured by gigabits per second (Gbps) or packets per second (PPS), while in application layer DDoS attack, the attack is measured by requests per second (RPS). Most mid-sized websites can be crippled by 50 to 100 RPS application layer DDoS attacks, and most network infrastructures can be shut down by 20 to 40 Gbps network layer DDoS attacks.
Prevalence of DDoS Attacks
“Overall, we saw attacks that were smaller, shorter, and more persistent,” Imperva said in the company’s 2019 Global DDoS Threat Landscape Report. The company said that this trend “may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in”.
Imperva reported that most DDoS attacks in 2019 were short, with 51% lasting less than 15 minutes. The report also showed that DDoS attacks in 2019 were conducted in short streaks, with two-thirds of targets attacked up to five times and a quarter of targets attacked 10 times or more.
Imperva added that while the norm of DDoS attacks in 2019 was small, the company recorded the largest network layer DDoS attack and application layer DDoS attack. The company said it recorded a network layer DDoS attack that reached 580 million packets per second (PPS), and a separate application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS).
According to Imperva, the top attacked industries in 2019 were games (35.92%), gambling (31.25%), computers and internet (26.51%), business (3.37%) and finance (2.95%); while the top attacked territories were India (22.57%), Taiwan (14.79%), Hong Kong (12.23%), Philippines (11.36%) and United States (8.73%). In 2019, Imperva said application layer attack requests overwhelmingly came from the Philippines and China. The company, however, noted, “Those source origination points were notedly the location of the machines used to carry out the attacks, not necessarily the location of the attackers themselves.”
The Role of Botnets
Imperva’s analysis of the largest application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS) showed that most of the IPs had the same opened ports: 2000 and 7547. The Mirai botnet has been known to target IoT devices exposed to the internet via TCP port 2000 and 7547.
The Mirai botnet was first observed in the wild in 2016. This botnet hijacked IoT devices via factory default usernames and passwords. The release of the Mirai’s source code on September 30, 2016 resulted in the development of new versions of Mirai, with some versions targeting different vendors of IoT devices and some adding new functionalities.
The DDoS attack on the domain name service (DNS) provider Dyn on October 21, 2016 was attributed to the Mirai botnet. The DDoS attack on Dyn resulted in temporarily bringing down America’s top websites such as Twitter, Netflix and Reddit.
In the 4th quarter of 2019, researchers at 360 Netlab reported 2 new botnets: Roboto and Mozi. In November 2019, 360Netlab researchers reported that Roboto attacks Linux servers via CVE-2019-15107, a security vulnerability in the Webmin remote administration application. While Roboto has DDoS capability, the researchers said, there’s no evidence yet that a DDoS attack has been launched by this botnet.
In December 2019, researchers at 360 Netlab reported that Mozi attacks IoT devices, exploiting a handful of security vulnerabilities, including CVE-2014-8361, a security vulnerability in Realtek routers that allows remote attackers to execute arbitrary code, and CVE-2018-10562, a security vulnerability in GPON routers in which the router saves ping results, enabling attackers to execute commands and retrieve their outputs.
While a typical DDoS botnet operates using a command-and-control (C2) server – a computer controlled by an attacker to send malicious commands to infected computers, both Roboto and Mozi rely on peer-to-peer (P2) networks. In P2 networks, decentralized networks of infected computers or “bots” communicate with one another, instead of communicating with a centralized command-and-control server.
The of use P2 networks by cyber criminals isn’t a new thing. For years, attackers have used P2 networks from stealing data to sending malicious commands. P2 networks have been used by attackers to evade the efforts to take down C2 servers. Authorities such as the FBI and technology companies have had success in shutting down botnets that rely on C2 servers to steal data or send malicious commands. By taking down a C2 server, the zombie army or hijacked computers are rendered useless.
Would you like to learn more and see how to protect your organization and mitigate DDoS attacks in under 10-minutes, with no hardware or software to buy or install?
Steve E. Driz, I.S.P., ITCP