Incident Response, TDR

Easily available tools, botnets contribute to DDoS rise

Distributed denial-of-service (Doz) attacks against websites or web services continue to grow in volume and complexity, and are also increasingly being used as a distraction from other criminal activities, security firm Arbor Networks warned this week.

An analysis of DDoS attacks around the world show that they are getting bigger, more frequent and more complex thanks to the general availability of botnets and toolkits, according to the company.

There are even DDoS services that, for a set fee, offer to attack telecommunications providers, Curt Wilson, an engineer with the Arbor Security Engineering and Response Team, said in a blog post. The team observed advertisements on underground forums offering phone attack services starting at $20 per day.

And the ambushes aren't just being readied to cut off website accessibility, he said. They also are serving as a diversion for more malicious activity, such as network intrusions.

Attackers no longer require large botnets at their disposal to launch DDoS attacks. Along with the services offering attacks-for-hire, cloud-based service provider Incapsula has reported in the past how ready-made botnets are available for rent.

Prolexic, a mitigation services provider, has issued several advisories warning about toolkits that can launch large and complex DDoS attacks, such as Dirt Jumper, that are readily available on the underground.

There are many types of DDoS attacks. The most well-known form is network flooding, attacks that consume all bandwidth and prevent legitimate requests from reaching websites and systems. These infrastructure incursions, also known as Layer 3 and Layer 4 attacks, are still pretty common, accounting for 81 percent of total attacks in the second quarter of 2012, according to Prolexic. Application layer attacks, or Layer 7, made up the remaining 19 percent.

However, miscreants are increasingly targeting applications instead of just clogging up the internet pipe, Neil Roiter, research director of Corero Network Security, told on Friday. Network-flood attacks are declining as adversaries shift toward application-layer attacks that are harder to detect because they are crafted to look like normal requests. Also, they wind up being computationally expensive for the server, preventing it from processing other legitimate requests.

DDoS attacks have grown 82 percent since June 2011, according to the latest "Worldwide Infrastructure Report" from Arbor Networks, which covers the first half of 2012. The average size of attacks have gone up 27 percent, and attacks are now consistently more than one gigabits per second in size, according to Arbor.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.