Incident Response, Network Security, TDR

DDoS attacks increase and methods changed in Q1 2015, report says

DDoS attacks are still on the rise but attackers are changing their methods for executing the cyber assaults, according to Akamai's Q1 2015 State of the Internet Report.

The findings show that criminals are using lower bandwidth attacks that occur more frequently and last longer in an attempt to evade detection. "An HTTP flood will not consume a lot of bandwidth, but it will generate a lot of HTTP requests," said an Akamai public relations spokesperson. That can overwhelm the servers' ability to respond to all the requests and ultimately take down site in a way that is harder to detect.

The report noted that recent trends also include “the common use of multi-vector campaigns, the availability of booter services and low-cost DDoS campaigns that can take down a typical business or organization.”

DDoS attack vectors have also changed since last quarter. Simple Service Discovery Protocol (SSDP) attacks accounted for 20 percent of the attacks while they weren't even on Akamai's radar screen in the same quarter last year. Akamai attributed the rise in SSDP attacks to unsecured home and business based Internet-connected devices using Universal Plug and Play, which are attractive to attackers because users often plug them in and don't update them as they should. 

“I expect to see more application layer attacks based off home and small business appliances,” Eric Korbin director, Information Security at Akamai told SCMagazine.com. “As attackers learn more about the protocols where the designer didn't take adversaries into account those become easier targets.”

He said the best way to avoid the attacks is to patch all routers and don't allow devices access to the internet unless it is necessary to the function.  

The study showed the gaming industry continues to be at the receiving end of DDoS attacks, accounting for 35 percent of all attacks making it the most targeted industry, a trend that started in the second quarter of 2014 and is expected to continue. “Booter sites [or sites where people can hire out DDoS attacks] started from people looking for an edge in gaming so they could win,” Kobrin, said. “Originally one player would set them up to delay the actions of another.”

The DDoS-for-hire market is expanding making this a more accessible to anyone looking to shut down a server or a website. 

Akamai found that China, Germany and the U.S. accounted for more than 50 percent of all DDoS attacks origins in the most recent quarter. China lead with 23 percent of attack traffic this quarter followed by Germany at nearly 17 percent and the U.S. in third place with 12 percent. While the top three countries remained the same, their rankings changed. In Q1 2014 the U.S. accounted for “32 percent of all attack traffic, followed by China at 18 percent and Germany at 12 percent,” the report said.

The company observed website defacements and domain hijacking as among the emerging threats. In one case study, a group claimed to hack hundreds or thousands of websites in one night. While the attack appeared to have a level of automation, many of the sites led to the same IP address.

The study also noted that many hosting companies offer cheap domain sites for a few dollars a month. A paying customer can have hundreds of domains and sites with the same IP address.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.