Incident Response, TDR

DDoS attacks remain up, stronger in Q2, report says

Instead of fluctuating as it typically does, distributed denial-of-service (DDoS) attacks have remained elevated throughout the second quarter and they've become both stronger and shorter, according to researchers at Prolexic, an Akamai company.

In the “Prolexic Quarterly Global DDoS Attack Report Q2 2014,” researchers noted that the number of attacks increased 22 percent over Q2 figures a year ago and continue to keep pace with DDoS activity logged in the first quarter of this year. “If the trend continues there will be more DDoS attacks in 2014 than ever before,” the report said.

While the average duration of the attacks declined precipitously from last year, dropping 54 percent from 38 hours to just 17 hours, they gathered strength. In Q2 2014, the average bandwidth was up 72 percent from the same quarter in 2013—average peak bandwidth increased 241 percent.

Noting that DDoS campaigns have grown in “sophistication and overall size,” David Fernandez, head of PLXsert, told in a Tuesday email correspondence that “the DDoS-for-hire market has also created a more economically viable means to launch a successful DDoS attack against organizations.”

Researchers “believe attacks will continue to increase in size along with expanding the scope of devices that can be exploited for DDoS purposes,” he said. 

In this latest report, infrastructure attacks, which accounted for 89 percent of all DDoS events recorded, grew in popularity, outpacing the quarter before by two percent. Researchers warned that volumetric attacks could exhaust incoming network bandwidth and take down whole data centers. But the data showed that Network Time Protocol (NTP) reflection-based infrastructure attacks diminished in the same time period. Application layer attacks, too, were down, by 15 percent and accounted for 11 percent of all attacks, with only the number of PUSH floods increasing by a whopping 133 percent.

Prolexic researchers noted a “surge” in Simple Network Management Protocol (SNMP) reflector attacks. “It was interesting to see malicious actors once again testing the capabilities in launching reflection based attacks with the inclusion of SNMP (3%),” said Fernandez. “This was never recorded before at Prolexic.”  

The attacks have grown more sophisticated, Fernandez said, as a result of “enhancements in BOTNET topologies, taking advantage of known vulnerabilities in servers as opposed to hosts, and the human element within an operation, realtime variations of an attack type to evade mitigation techniques.”

Troubling in the second quarter was the anticipated strategically targeted return of the Brobot botnet (itsoknoproblemobro), which the report said “lurks in the shadows.”

Saying “it is not uncommon for malicious actors to simply update their investments as opposed to starting from scratch,” Fernandez called the Brobot botnet “unfortunately a success in design and in the collective resources allocated to this threat model.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.