Feeds

Move over cybercrims, DDoS now protesters' weapon of choice

Attackers swap rifles for machine guns with laser sights

SANS - Survey on application security programs

Ideological hacktivism has replaced cybercrime as the main motivatation behind DDoS attacks, according to a study by Arbor Networks.

Up until last year, DDoS attacks were typically financially driven – either for reasons of competition or outright extortion – but the activities of Anonymous and related groups have changed that. The plethora of readily available DDoS attack tools (such as LOIC, a sometime favourite of Anonymous) means that anyone can launch an attack and any business could potentially be targeted.

Arbor, which specialises in supplying DDoS mitigation and traffic management tools to telcos and ISPs, describes the rise of hacktivism as a "sea-change in the threat landscape".

"What we saw in 2011 was the democratisation of DDoS," said Roland Dobbins, Arbor Networks solutions architect for Asia-Pacific, and the primary author of the 2012 edition of Arbor's annual Worldwide Infrastructure Security Report. "Any enterprise operating online – which means just about any type and size of organisation – can become a target, because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Furthermore, the explosion of inexpensive and readily-accessible attack tools is enabling anyone to carry out DDoS attacks."

Network operators quizzed by Arbor as it compiled its study reported a significant increase in the prevalence of high-bandwidth DDoS attacks. Around 13 per cent reported attacks greater than 10 Gbps between October 2010 and November 2011, the period covered by the report. An even greater number (25 per cent) observed DDoS attacks that exceeded the total bandwidth into their data centre.

The single largest reported DDoS attack during the survey period hit 60 Gbps, down from 100 Gbps reported in 2010. However this drop in the absolute volume of the worst attack disguises what Arbor describes as the "increasing sophistication and complexity of application-layer and multi-vector DDoS attacks".

Around half of respondents reported application-layer attacks on their networks. More than 40 per cent of network operators quizzed by Arbor reported an inline firewall and/or IPS failing due to a DDoS attack.

For the first time, a respondent to Arbor's survey observed a native IPv6 DDoS attack on their network. Arbor describes this as a "significant milestone" while noting that although "IPv6 deployments continue to advance, IPv6 is not yet economically or culturally significant enough to warrant serious attention by the internet criminal underground".

Fifty per cent of respondents reported not seeing any attacks targeting their mobile infrastructure. Conversely, more than 30 per cent reported an average of 50 to 100 mobile DDoS attacks per month, suggesting some mobile operators lack the tools that would allow them to monitor problems on their networks.

Arbor's findings were based on a survey of 114 of its service provider customers throughout the world.

Cyber machine guns flood networks

Another DDoS trend study from Prolexic Technologies, also published on Tuesday, reports that denial-of-service attack sophistication has increased even while assault durations have decreased.

Average attack duration was down to 34 hours in Q4 2011 from 43 hours in Q4 2010 but packet-per-second volume increased 18-fold. Prolexic mitigated 45 per cent more attacks in Q4 2011 compared to Q4 2010.

"Based on fourth quarter statistics, Prolexic predicts that 2012 will feature DDoS attacks that will be shorter in duration, but much more devastating in terms of packet-per-second volume," said Paul Sop, chief technology officer at Prolexic. "Think of it this way. In the past, attackers had a rifle. In 2012, they have a machine gun with a laser sight."

During Q411, approximately 22 per cent of attacks faced down by the firm were ICMP floods, 20 per cent were UDP Floods, 20 per cent were SYN Floods and 16 per cent were GET Floods. Prolexic clients in the e-Commerce sector "received a disproportionately high percentage of Layer 7 (application layer) attacks and much longer average attack durations," the firm adds.

Prolexic's report can be downloaded here (PDF, registration required).

A separate study from Akamai out last week reported an increase in attack traffic from Asia during the third quarter of 2011. Taiwan and China held the second and third place spots, respectively, accounting for just under 20 per cent of observed attack traffic combined. Asia Pacific as a whole generated nearly half (49 per cent) of online attacks observed across the Akamai platform during Q3 2011.

Attack traffic originating in Europe was down slightly to 28 per cent; with the Americas accounting for nearly 19 per cent over the same time-frame, Akamai reports. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.