DDoS Attack Specialist Archive

Here are the most common types of attack that bring down data centers.


The most common type of attack that can take down a data center is distributed denial of service, or DDoS.

In fact, according to the most recent Verizon Data Breach Investigations report, DDoS attacks were the second most common attack vector in last year’s security incidents, following privilege misuse. And, according to a report released in April by Neustar, the number of DDoS attacks 100 Gbps in size and larger increased by nearly 1,000 percent from the first quarter of 2018 to the first quarter of this year.

According to Adam Kujawa, director of Malwarebytes Labs at Malwarebytes Corp., a DDoS attack is a direct and immediate threat to data center uptime.

Plus, the proliferation of poorly secured connected devices such as routers and cameras creates a lot of opportunities for criminals to build botnets with which to launch these attacks.

“But technology has evolved so we have a better chance of protecting ourselves,” he added.


As the latest Verizon report showed, ransomware continues to be a major threat.

Unlike DDoS attacks, which are over when they’re over, the effects of ransomware can continue after the initial attack is stopped, said Dan Tuchler, CMO at SecurityFirst.

“If the data is corrupted or in an unknown state, it can take significant time to restore the data from backup,” he said.  As a result, data centers might not be able to function for hours or even days after an attack.

And there’s a secondary hit, said Mounir Hahad, head of threat research at Juniper Networks. “Ransomware has an obvious impact on downtime as the IT staff would race to recover data from backups,” he said. “But the detection of intrusion may result in downtime as well, as IT staff try to cut off any potential exfiltration activity.”

It can take several days to do the forensics necessary to find out if the attackers were able to compromise any databases. “Services may be offline during that time,” he said, “at least until the method of exfiltration is understood and remediation is in place.”

These costs add up. In fact, according to Cybersecurity Ventures, the total global damages from ransomware are predicted to hit $11.5 billion in 2019, up from $8 billion last year.

External Access Services

When protecting against downtime, data center managers can often overlook some external services their computing sites depend on, such as cloud access security brokers or external DNS servers.

“Attackers target those dependent services to cause widespread harm,” said Darien Kindlund, VP of technology at Insight Engines. “In many cases, firms that protect data centers may overlook these external dependencies when threat-modeling, as they may not even be aware that such dependencies exist during architecture reviews.”

One of the biggest examples of this kind of attack was the 2016 cyberattack against DNS provider Dyn, which took down services around Europe and North America. Services affected included the Boston Globe, CNN, Comcast, GitHub, HBO, PayPal, and many others.

Application Attacks

Attacks against individual web or server applications require a lot less bandwidth but can still effectively shut down services, said Alex Heid, chief research officer at SecurityScorecard.

For example, if a data center or hosting provider has a control panel application for its customers or users, an attack against that application that causes it to crash would impact availability.

Similarly, protocols can also be overwhelmed by a single, focused attack, he said. “Examples of these attacks include Dropbear SSH DoS and the Slowloris Apache HTTP attack.”

In fact, attackers are increasingly using lower-volume, more targeted attacks to take down their victims, according to the Neustar report.

These kinds of attacks will also morph over the course of an attack to make them harder to defend against. According to the company, in the first quarter of 2019, more than 77 percent of denial of service attacks used two or more vectors.

Source: https://www.datacenterknowledge.com/security/four-main-types-cyberattack-affect-data-center-uptime

DDoS attacks have been among the top cybersecurity threats in recent years, and have the potential to cause wide scale disruption of internet services. The massive attack on DNS provider Dyn in 2016 caused outages to popular websites like Twitter and Netflix and affected millions of users worldwide. Various other enterprises including financial institutions, video game companies, and news websites have fallen victim to DDoS and all had to weather downtime caused by the attacks.

Though other cyber-attack methods like ransomware and data breaches have taken the spotlight these past couple of years, the threat of DDoS still persists and stronger than ever. While better security solutions and anti DDoS techniques are now available to thwart attacks, hackers are still keen on tweaking their tools and techniques to continue causing harm.

DDoS is seeing resurgence as of late and the potential damage caused by these new attacks are also significant. Attacks of at least 100 gigabytes per second (Gbps) increased by 967 percentin Q1 2019 compared to a year ago.

DDoS and Botnets
Massive DDoS attacks have largely been made possible by botnets – swarms of malware-infected devices or “zombies” – that can be controlled by hackers to launch attacks on targets. Botnets essentially pool together the computing resources and bandwidth from zombies to overwhelm even the best equipped networks.

A SYN flood DDoS attack, for example, exploits the mechanics of the standard TCP protocol – the very protocol used for web browsing, email, and file transfers. During an attack, each zombie device on the botnet sends a SYN request to server. The server then acknowledges the request and sends back a SYN-ACK response. Conventionally, the device should respond with an ACK to establish the connection.

However, in a SYN flood, the zombies would not send this ACK response back to the server. Or, the malware could spoof IP address of the SYN request so that the server wouldn’t receive the response at all. This process is repeated across all zombies on the botnet. As requests pile up, the server would eventually run out of resources causing it to crash and prevent all other legitimate connections from being established.

The Mirai botnet, which has infected tens of thousands of wireless devices, network appliances, and IP cameras, is capable of performing various flood attacks aside from SYN floods. Its source code is readily available online which allows hackers to readily use or modify the malware to take over more devices. New variants have been detected making its rounds online and these are capable of compromising a wider variety of internet-connected hardware.

Potential Damage Increases
This year, a DDoS attack thwarted by security provider Imperva reached a peak rate of 652 million packets per second (Mpps). This is considered the most intense attack on record and is five times the intensity of the GitHub attack which is currently the biggest DDoS by data transmission.

Just this April, cryptocurrency wallet Electrum was also affected by a malware attack which turned devices on its network into zombies. Electrum users were prompted to install a fake update which infected their devices with malware. This not only made user devices part of a massive DDoS botnet, but the malware also stole cryptocurrencies stored in users’ wallets. Around 152,000 devices were said to have been infected while over $4.6 million in cryptocurrencies have been stolen by attackers.

Also recently, a threat actor who goes by online alias “Subby” was reported to have taken over 29 IoT botnets. While the combined size of the botnets are only capable of launching around 300 Gbps attacks, it can still be a significant enough threat to affect most networks.

These latest episodes of malware infection and DDoS attacks underscore how botnets remain a major threat to cybersecurity. The continued evolution of DDoS malware may soon result in botnets capable of pooling enough resources to launch attacks that will rewrite the record books once again.

Costs of Falling Victim are Still Significant
This has put enterprises back on edge as they’ve become quite wary of falling victim to DDoS. A single attack can cause downtime, loss of business, and negative perception – all of which can have significant impact on their operations.

Depending on the size of the enterprise, a DDoS attack can cost a business tens of thousands of dollars in downtime alone. In the UK, DDoS is expected to cost its economy more than £1 billion in damages in 2019 as downtime from each attack is estimated to exceed £140,000. Dealing with DDoS may also require other actions such as recovery, security audits, and public relations.

Because of this financial impact, DDoS has become a way to commit industrial sabotage. One can simply acquire DDoS-for-hire services on the dark web to cripple a target company’s online activities and cost them financially in the process. Hacktivists have also been known to launch DDoS attacks on corporate targets as means to protest or advance political agenda.

Implementing Security is a Must
Fortunately, the cybersecurity community has been actively improving means to mitigate DDoS attacks. Internet services are now investing on better infrastructure to have enough bandwidth and network capacity to weather DDoS attacks.

Security solutions like WAFs and DDoS mitigation have also become smarter. They now feature better algorithms to filter out malicious traffic. Crypto-based mechanisms are even being explored to combat DDoS.

But to lessen the threat of botnets, it’s critical for users to be more conscious of their own security. A major contributor to the explosion of botnets is the poor security of many devices. The market has recently seen a surge in cheap internet-capable devices, many of which have poor security features. Other users are also remiss in changing default administrator credentials on their devices which make it easy for malware spread across networks.

Protecting internet-connected devices should greatly help lessen exposure. Even actions like using more secure passwords and applying timely patches and updates could prevent malware from spreading.

The threat of cyberattacks and DDoS will continue to be present. So, everyone stands to benefit should computer users put in more effort to securing their devices and networks.

Source: https://www.infosecurity-magazine.com/next-gen-infosec/ddos-botnets-damage-1-1/

Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive.

When Airbnb, Netflix, GitHub, Twitter, CNN, Spotify, Reddit, and many other websites became fully or partially unavailable in October 2016, millions of users found it a mild nuisance. But for DNS provider Dyn, which was on the receiving end of massive DDoS attacks fuelled by a gigantic botnet, it caused mayhem.

This DDoS attack made it clear that cybercriminals are making bold moves that can potentially bring down the internet.

Fast forward to 2020: the impending deployment of 5G gives attackers more firepower than ever by creating easily exploitable targets they can enlist into botnets that overpower traditional DDoS defenses.

Along with experts’ warnings, available data highlights this trend. The ENISA Threat Landscape Report 2018 confirms that DDoS attacks are continuously evolving:

  • Close to 45% of DDoS attacks lasted for over 90 minutes while 4.62% of them persisted for 20+ hours
  • The average DDoS attack went on for 318.10 minutes, while the longest one continued for a stupefying six days, five hours, and 22 minutes
  • The first terabit DDoS was recorded in 2018 against GitHub (1.35Tbps), shortly followed by another one targeting Arbor Networks (1.7Tbs).

DDoS attacks have been around for 20 years, but the current tech environment is fuelling a renewed interest for them, with 5G set to play a fundamental role.

Factors that favour massive DDoS attacks in the 5G era

Security specialists cannot afford to overlook the appeal that 5G has to cybercriminals looking to make a hefty payday. Here are the factors that makes it easy for them to launch destructive DDoS attacks that put businesses at risk of complete shutdown.

1. Innovation outpaces the ability to secure it

The gap between adopting new tech and properly securing it is becoming steeper, and issue that regains prominence as 5G and AI has become a business reality.

Cybersecurity has moved from cost to necessity, but most decision makers haven’t made it a board-level priority, and attackers are fully aware of that.

2. DDoS for hire is cheaper than ever before

The cybercrime economy makes services like DDoS for hire prevalent and easily accessible. A 24-hour DDoS attack against a single target can cost as little as US$ 400. Access to cheap bots is significantly damaging to internet service providers (ISPs), as the average cost of such an attack rose to US$ 2.5 million in 2017.

3. 5G brings hyperconnectivity and expands the attack surface

While 5G has tremendous potential for growth and innovation, it comes with a huge caveat. Connecting more devices faster inevitably leads to an influx of malicious traffic. Attackers will exploit poorly secured devices and use the millions of leaked (and reused) credentials to build botnets that make Mirai look like a proof-of-concept.

The biggest risk is that large-scale DDoS attacks take down financial institutions and critical infrastructure. Thus, DDoS mitigation that can cope with attacks in the range of terabits becomes a crucial necessity.

4. Insufficient resources to tackle imminent dangers

CISOs already struggle to get resources to handle current threats while business leaders push for 5G adoption. Meanwhile, cybercriminals will take the opportunity to exploit higher capacity bandwidth that 5G provides to launch attacks on an unprecedented scale.

The companies must accept the responsibility for DDoS mitigation with consolidated security. Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive. Business and security leaders must make a conscious decision to prioritize anti-DDoS measures.

By adopting custom-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep operations running smoothly. Moving focus from on-premise hardware firewalls to choosing a globally distributed network of scrubbing centers with unrivaled mitigation capacity may be a winning card in the Anti-DDoS battle.

Network operators must scrupulously monitor anomalous activity, access, and traffic patterns to curb large DDoS attacks.

CSPs must consider high-volume DDoS mitigation services and combine them with deep packet inspection (DPI) that doesn’t impact legitimate traffic or streaming quality.

It’s important to keep in mind that, once 5G is deployed, companies and individual users alike expect flawless connectivity and network performance, along with uncompromised security and privacy. In the coming years, balancing service quality with security is what will set visionary CSPs apart from the rest.

Source: https://www.scmagazineuk.com/security-concerns-5g-era-networks-ready-massive-ddos-attacks/article/1584554

Romania is in top ten countries with the highest number of command-and-control (C&C) servers used in DDoS attacks, according to the Kaspersky Lab DDoS Q1 2019 report. A total of 2.89% of these servers are located in Romania, which places the country 9th in the world.

Most botnet C&C servers are located in the US (34.10%), followed by The Netherlands with a share of 12.72% and Russia with 10.40%.

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to the last quarter of 2018, according to Kaspersky Lab. There was a remarkable increase especially in the number of attacks lasting over an hour and the average duration of this type of attack, the same report shows.

“Last year, the number of DDoS attacks dropped continuously, prompting Kaspersky Lab’s experts to assume that cybercriminals who carried out DDoS attacks to get financial gains turned their attention to other sources of income (such as cryptocurrencies). However, first-quarter statistics contradict this trend and show that the number of DDoS attacks blocked by Kaspersky DDoS Protection increased by an astonishing 84% compared to Q4 2018,” Kaspersky Lab said in a press release.

The most visible growth was registered in the category of DDoS attacks lasting more than one hour. Their number doubled and the average duration increased by 487%. These numbers “confirm Kaspersky Lab’s hypothesis that hackers are improving their techniques and are able to launch longer-lasting attacks that are harder to organize.”

To remain protected from DDoS attacks, Kaspersky Lab recommends organizations to make sure web and IT resources can handle large traffic and to use specialized solutions.

Source: https://www.romania-insider.com/romania-servers-ddos-attacks

Sudden surge suggests that new actors have stepped up to the plate to replace the old operators.

Distributed denial-of-service attacks (DDoS) — particularly those lasting more than an hour — increased sharply in number during the first quarter of this year over the prior quarter after declining steadily for most of 2018.

The unexpected resurgence suggests that new suppliers of DDoS services have quietly emerged to replace operators that were disrupted in a series of law enforcement actions last year, Kaspersky Lab said in a report summarizing DDoS activity in Q1 2019.

The security vendor’s analysis shows the number of DDoS attacks in Q1 to be some 84% higher than the number recorded in the last three months of 2018.

One significant trend that Kaspersky Lab notes is an overall increase in the number of attacks lasting one hour or longer. Over one in 10 (10.13%) of the DDoS attacks in Kaspersky Lab’s dataset lasted between five hours and nine hours, and another 9.37% lasted between 10 hours and 49 hours — or more than two days. Some 2% of the attacks were longer than 50 hours, with the longest one lasting 289 hours, or just over 12 days.

In total, the proportion of sustained attacks, or those lasting more than an hour, nearly doubled from 11% of the overall number of DDoS attacks in the last quarter of 2018 to 21% of the total in the first three months this year. Correspondingly, the number of short-duration DDoS attacks lasting less than four hours declined — from 83.34% in Q4 2018 to 78.66% this year.

Alexander Gutnikov, an analyst with Kaspersky Lab DDoS prevention service, says attackers are increasingly moving away from volumetric, high-bandwidth attacks at the network (L3) and transport (L4) layers because of the mitigations available for such attacks. Instead, they are turning to smarter DDoS attacks such as those that target the application layer.

“The main driver of the growth of smart DDoS attacks is a decrease in the effectiveness of volumetric attacks,” Gutnikov says. “Volumetric attacks have to be very powerful to significantly affect the stability of resources,” For vendors that provide dedicated DDoS mitigation services, the trend is not particularly new. he adds.

As has been the case for several years, a majority of DDoS attacks last quarter were SYN flood attacks. However, the number of SYN attacks as a percentage of the overall total of DDoS attacks jumped sharply from 58.1% in the last quarter of 2018 to over 84% in this year’s first quarter. Meanwhile, other types of DDoS attacks, such as UDP flooding and TCP flooding, showed a corresponding decrease.

HTTP flooding attacks targeting the Web application layer are still relatively rare. However, the number of such attacks appears to be growing. Kaspersky Lab analysis shows HTTP flood attacks increasing in number from 2.2% of the overall total in Q4 to 3.3% last quarter. “In terms of the ratio of effectiveness and cost of organization, application-level attacks, L7, are an optimal option for malefactors,” Gutnikov notes.

A Persistent Threat
Kaspersky Lab’s new report is the latest to highlight the continuing threat that DDoS attacks present to organizations despite some major wins for law enforcement against those behind such attacks.

Last April, for instance, European law enforcement agencies, in cooperation with their counterparts in other regions of the world, dismantled Webstresser, one of the largest sites for buying and selling DDoS services at the time, and announced the arrests of the operators and several clients of the illegal outfit.

More recently the US Justice Department announced it had seized 15 websites offering similar DDoS-for-hire services and charged three individuals for their roles in the operation. In January, a Boston federal judge sentencedan individual convicted on charges of launching a DDoS attack on Boston Children’s Hospital to 10 years in prison.

The fact that the number of attacks increased last quarter are all the same suggests that new actors have stepped up to the plate to replace the old operators, according to Kaspersky Lab.

“We believe that the motives for DDoS services remain the same: politics, unfair competition, concealment of other cybercrime, or personal motives,” Gutnikov says. “And for people who conduct DDoS attacks, the main motive is money.”

Data from Verizon’s “2019 Data Breach Investigations Report” (DBIR) shows that public-sector organizations and those in the IT, finance, and professional services sectors are far more frequent targets of DDoS attacks than organizations in other industries. Verizon counted more than 990 DDoS incidents against public-sector organizations in 2018, 684 attacks against IT organizations, 575 targeting financial firms, and nearly 410 against professional services firms.

Financial services organizations and IT companies are also targets of some of the biggest DDoS attacks — from a bandwidth and packets-per-second standpoint. Verizon’s data shows that in 2018, the median size of DDoS attacks against financial services companies and IT organizations were 1.47 Gbps and 1.27 Gbps, respectively.

“Over time, DDoS attacks have been getting much more tightly clumped with regard to size,” with little difference in size between the largest and smallest attacks, Verizon said.

Ominously for enterprise organizations, while DDoS attacks, on average, have shrunk in size overall, there has been an increase in the number of really massive attacks.

According to security vendor Imperva, there has been a recent increase in DDoS attacks involving 500 million or more attack packets per second. During a one-week period earlier this year, Imperva’s researchers detected nine such DDoS attacks, with the largest one hitting an astounding 652 million packets per second.