It comes as no surprise that the distributed denial-of-service (DDoS) attack landscape continues to evolve in size and complexity, thereby putting companies at a disadvantage. Supporting this, a report from Verisign saw an 83% increase in average attack size in the first quarter of the year over Q4 2013.
“The DDoS attack landscape is changing every day, and attackers are deploying new techniques, targeting a much wider set of organizations and becoming more sophisticated,” the company said in its report. “Based on trend analysis, Verisign anticipates DDoS attacks to continue to evolve in size and complexity in subsequent quarters and throughout 2014.”
Echoing a previously witnessed trend, Network Time Protocol (NTP) reflection attacks have emerged as the new normal, bumping up the volume of traffic used in attacks. It replaces the most common vector in Q1 2013, which was DNS amplification due to attacks using itsoknoproblembro, better known as Brobot, which compromised PHP and Joomla installations.
Reflection and amplification attack tools can provide a surging, snowballing lump of traffic against a target with relatively little effort, and as a result, hacktivists and others are embracing them wholesale.
In the first quarter, the most common volumetric attack size ranged from 50–75Gbps. Verisign witnessed large NTP reflection attacks around December 2013, and the trend has continued through Q1 2014.
Verisign said that it expects new amplification and reflection attack types to appear and proliferate. “These attacks will likely exploit additional protocols and port types, and could potentially catch unprepared organizations and even DDoS mitigation providers by surprise in short order,” it added.
Specifically, Verisign sees indications that attackers could further exploit other UDP protocols for large amplification attacks in the near future; this could be an attractive vector due to the simplicity and stateless nature of UDP. Other UDP protocols that are potential targets are SNMP and IKE, which can be used to launch source-IP-spoofed attack types and have the potential to be amplified similar to DNS or NTP, the firm noted.
In Q1 2014, Verisign also saw DDoS attackers continue to show increasingly adaptive behavior similar to that observed in 2013. On a number of occasions, attackers continuously monitored the effectiveness of their attacks while underway, and then changed attack techniques to work around applied mitigation strategies.
“Attacker techniques also evolved to attack the infrastructure components of victim websites and any DDoS mitigation providers protecting those websites,” Verisign said. “Normally, attack traffic is destined for the IP address of a targeted website; using these new attack methods, attackers targeted the IP address of the various routers that sit along the network path to the target website, searching out the ‘weakest link.’”
Also, targets are evolving. While the financial sector is still popular, media and entertainment represented the most frequently attacked vertical in the quarter, followed by the IT services/cloud/SaaS sector.