Incident Response, TDR

Amplification DDoS attacks most popular, according to Symantec

Distributed denial-of-service (DDoS) attacks are increasing in power, being carried out with greater ease and will likely continue to be a growing issue in the coming years, Candid Wueest, a threat researcher with Symantec, told in a Friday email correspondence.

Amplification attacks are the most popular choice right now because attackers can generate a huge flood of network traffic with even just a small number of compromised computers, Wueest said, explaining network traffic reflected to the target is often up to 100 times larger than the initial traffic.

The company noted in a whitepaper released on Tuesday, which was penned by Wueest, that Domain Name Server (DNS) amplification attacks have increased 183 percent between January and August.

“DNS amplification attacks have increased because there are still enough open DNS servers that can be used to amplify the traffic,” Wueest said. “Address lists of such servers are traded in the underground and integrated into botnet malware making it accessible to many attackers.”

But amplification DDoS attacks are only one slice of the pie – Wueest said that attackers will often shift between different methods and adapt techniques in response to evolving protection technologies.

Volumetric attacks involve user datagram protocol (UDP), internet control message protocol (ICMP), or transmission control protocol (TCP) traffic floods, and protocol attacks involve attackers attempting to “exhaust fixed limitations of a network, such as the maximum number of concurrent open connections, by opening as many TCP connections as possible,” Wueest said.

There are also application-level attacks, Wueest said, in which “attackers take advantage of weaknesses in the web application itself. For example, the scripting language PHP used to have a flaw that let attackers consume 100 percent of the targeted device's CPU with specially crafted HTTP GET Web requests.”

Right now the U.S. ranks second for highest volume of originating DDoS traffic, right behind India, Wueest said, explaining the ranking is by absolute numbers of attacks seen and that countries with many connected computers tend to be listed higher.

“The sources for DDoS attacks are often countries that have a high number of bot infected machines and a low adoption rate of filtering of spoofed packets,” Wueest said, explaining the U.S. led countries in 2013 with 20 percent of botnets seen. “This, together with a high volume of unpatched open DNS or NTP amplifier services, makes them an ideal launching platform for DDoS attacks.”

Wueest noted that attacks are often carried out remotely and the people behind the attack are not necessarily located in the same country. Additionally, some attackers offer DDoS as a service for as little as $2 per hour, depending on the target, the whitepaper indicates.

Preventing someone from attacking with DDoS traffic is impossible, but the impact can be mitigated, Wueest said, noting that best practices include having an incident response plan ready, verifying server configuration, using a layered filtering approach and partnering with external service providers, and building scalability and flexibility into the network.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.