Behind the scenes, DDoS attacks are still evolving. What, if anything, does it all mean?
DDoS is moving from individual attacks to whole campaigns
DDoS attackers just keep at it but the way they keep at it continues to evolve. According to an Akamai note, on 18 June, an unnamed “large European media organisation” (presumably e-gaming) experienced a sudden DDoS assault that in 10 minutes rose to a peak of 363 Gbps.
That’s a large attack by any standards Akamai’s description of the events of that day reveals other interesting trends worth paying attention to such as the way DDoS criminals are expanding the complexity of their attacks while the defenders find themselves building huge global defences simply to keep up.
It’s probably not a complete surprise that the attack bundles extreme size with the use of six different attack types; DNS reflection, SYN flood, UDP fragment, PUSH flood, TCP flood, and UDP flood. Barely 2 percent of attacks use this multi-pronged approach but it’s clearly a growing trend. As reported by Computerworld UK, on 14 June, days before the attack reported by Akamai, mitigation provider Incapsula recorded an even more massive flood that also used the spray and pray technique.
The attack also abused DNSSEC because, the criminals have cleverly fathomed, the DNS security protocol generates larger responses and can therefore be used to boost DNS amplification still further. Akamai has mentioned such tactics in several of its traffic reports during 2015 and 2016 but it is ironic that a security standard should end up being manipulated in this way.
It’s developed so the extent that, “malicious actors continue to use open DNS resolvers for their own purposes, effectively using these resolvers as a shared botnet. The attack techniques and duration of the attack point to the likelihood of booter services available for lease in the DDoS-for-hire underground marketplace.”
Intriguingly, a geographical analysis of the IP addresses used to generate a portion of the SYN traffic suggest that it came from home and SoHo routers hijacked by the KaitenSTD botnet.
Latest massive DDoS attack suggests criminals plotting long campaigns
Why does any of this matter? Almost without exception these attacks go unnoticed by Internet users and businesses are usually only affected if they are unlucky enough to share a datacentre with a targeted organisation.
“From a technical perspective, the discovery and subsequent increasing employment of new attack vectors or botnets always represent significant, albeit grim milestones,” Akamai concluded.
But that’s a technical way of looking at the problem. The real story hidden inside the numbers is that this was only the latest in a long string of much smaller attacks on the company by this group or groups over 34 weeks. The first conclusion is that a growing number of DDoS attacks are no longer best described as singular events so much as campaigns that go on for months and perhaps even, shortly, years.
As these attacks morph into larger and sometimes unpredictable surges, mitigation is also changing to meet that challenge with Akamai revealing that its scrubbing centres (the places traffic is diverted to be cleaned) spans several locations around the globe for this attack alone.
Disaster averted in a way – as with the huge Incapsula attack of 14 June the 363 Gbps was defended by Akamai, which has the resources to deal with it. But as the recent downing of Pokemon GO shows, plenty hit the mark. The victims are out there even if we often don’t hear about them.