Feeds

Move over cybercrims, DDoS now protesters' weapon of choice

Attackers swap rifles for machine guns with laser sights

Internet Security Threat Report 2014

Ideological hacktivism has replaced cybercrime as the main motivatation behind DDoS attacks, according to a study by Arbor Networks.

Up until last year, DDoS attacks were typically financially driven – either for reasons of competition or outright extortion – but the activities of Anonymous and related groups have changed that. The plethora of readily available DDoS attack tools (such as LOIC, a sometime favourite of Anonymous) means that anyone can launch an attack and any business could potentially be targeted.

Arbor, which specialises in supplying DDoS mitigation and traffic management tools to telcos and ISPs, describes the rise of hacktivism as a "sea-change in the threat landscape".

"What we saw in 2011 was the democratisation of DDoS," said Roland Dobbins, Arbor Networks solutions architect for Asia-Pacific, and the primary author of the 2012 edition of Arbor's annual Worldwide Infrastructure Security Report. "Any enterprise operating online – which means just about any type and size of organisation – can become a target, because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Furthermore, the explosion of inexpensive and readily-accessible attack tools is enabling anyone to carry out DDoS attacks."

Network operators quizzed by Arbor as it compiled its study reported a significant increase in the prevalence of high-bandwidth DDoS attacks. Around 13 per cent reported attacks greater than 10 Gbps between October 2010 and November 2011, the period covered by the report. An even greater number (25 per cent) observed DDoS attacks that exceeded the total bandwidth into their data centre.

The single largest reported DDoS attack during the survey period hit 60 Gbps, down from 100 Gbps reported in 2010. However this drop in the absolute volume of the worst attack disguises what Arbor describes as the "increasing sophistication and complexity of application-layer and multi-vector DDoS attacks".

Around half of respondents reported application-layer attacks on their networks. More than 40 per cent of network operators quizzed by Arbor reported an inline firewall and/or IPS failing due to a DDoS attack.

For the first time, a respondent to Arbor's survey observed a native IPv6 DDoS attack on their network. Arbor describes this as a "significant milestone" while noting that although "IPv6 deployments continue to advance, IPv6 is not yet economically or culturally significant enough to warrant serious attention by the internet criminal underground".

Fifty per cent of respondents reported not seeing any attacks targeting their mobile infrastructure. Conversely, more than 30 per cent reported an average of 50 to 100 mobile DDoS attacks per month, suggesting some mobile operators lack the tools that would allow them to monitor problems on their networks.

Arbor's findings were based on a survey of 114 of its service provider customers throughout the world.

Cyber machine guns flood networks

Another DDoS trend study from Prolexic Technologies, also published on Tuesday, reports that denial-of-service attack sophistication has increased even while assault durations have decreased.

Average attack duration was down to 34 hours in Q4 2011 from 43 hours in Q4 2010 but packet-per-second volume increased 18-fold. Prolexic mitigated 45 per cent more attacks in Q4 2011 compared to Q4 2010.

"Based on fourth quarter statistics, Prolexic predicts that 2012 will feature DDoS attacks that will be shorter in duration, but much more devastating in terms of packet-per-second volume," said Paul Sop, chief technology officer at Prolexic. "Think of it this way. In the past, attackers had a rifle. In 2012, they have a machine gun with a laser sight."

During Q411, approximately 22 per cent of attacks faced down by the firm were ICMP floods, 20 per cent were UDP Floods, 20 per cent were SYN Floods and 16 per cent were GET Floods. Prolexic clients in the e-Commerce sector "received a disproportionately high percentage of Layer 7 (application layer) attacks and much longer average attack durations," the firm adds.

Prolexic's report can be downloaded here (PDF, registration required).

A separate study from Akamai out last week reported an increase in attack traffic from Asia during the third quarter of 2011. Taiwan and China held the second and third place spots, respectively, accounting for just under 20 per cent of observed attack traffic combined. Asia Pacific as a whole generated nearly half (49 per cent) of online attacks observed across the Akamai platform during Q3 2011.

Attack traffic originating in Europe was down slightly to 28 per cent; with the Americas accounting for nearly 19 per cent over the same time-frame, Akamai reports. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.