DDoS Attacks Getting Harder to Detect

DDoS attacks are getting harder to identify, and they will most likely be found to originate in Indonesia or China, new research has shown
DDoS attacks are getting harder to identify, and they will most likely be found to originate in Indonesia or China, new research has shown

According to Akamai Technologies’ Second Quarter 2013 State of the Internet Report, "Adversaries conducting DDoS attacks spend increasing effort to make their attacks look more and more like legitimate 'flash mobs' in an effort to elude automated defenses; this creates an ever-escalating arms race to automate the manual analysis that often goes into assessing whether an event was an attack or legitimate traffic due to an unplanned event."

DDoS is a favorite tool of hacktivists and others looking to disrupt the operations of a website by flooding it with traffic. But the ongoing increase in penetration of broadband worldwide has elevated all types of traffic levels – hence the aforementioned "flash mob" effect. The report found that the global average peak connection speeds increased slightly during the second quarter of 2013, up 0.1% to 18.9 Mbps. Global high broadband (classified as greater than 10 Mbps) adoption rose to 14% thanks to a 13% quarter-over-quarter increase. Global broadband (below 4 Mbps) improved 11% during the quarter, and Q2 2013 marked the first time that half of all connections to Akamai from around the world took place at speeds of at least 4 Mbps.

And that means that global political events, soccer matches, a big piece of company news or even a Mylie Cyrus appearance can drive ad hoc traffic spikes that can overwhelm a site, as more and more people are connected with anytime, anywhere access and become armed with social media – a big spike-driver. 

DDoS attacks are getting more frequent as well, judging from one sample. In the second quarter of 2013, Akamai customers reported 318 attacks during the period, a 54% increase over the 208 reported in the first quarter. At 134 reported attacks, the enterprise sector continued to be the leading target of DDoS attacks, followed by commerce (91), media & entertainment (53), high-tech firms (23) and the public sector (17).

Akamai also maintains a distributed set of unadvertised agents deployed across the internet that log connection attempts, which the company classifies as attack traffic. Based on the data collected, Akamai observed second-quarter attack traffic originating from 175 unique countries/regions, two fewer than was observed in the first quarter of 2013.

The top 10 countries or regions generated 89% of observed attacks, up from 82% in the previous quarter. Like the first quarter, Indonesia and China again originated more than half of the total observed attack traffic, but Indonesia pushed China out of the top spot this quarter, nearly doubling its first-quarter traffic from 21% to 38%. China moved to second at 33% (down from 34%). The US remained in third even after dropping to 6.9% in the second quarter from 8.3% in the first quarter.

Vectors are changing too. For the first time since the company launched the report, back in 2008, Port 445 was not the most targeted port for attacks, dropping to third place at 15%, behind Port 443 (17%) and Port 80 (24%). The vast majority (90%) of attacks targeting Ports 80 and 443 originated from Indonesia, up from 80% last quarter. Indonesia was observed to originate the majority of attacks targeting Ports 80 and 443, up to 90% from last quarter's 80%.

What’s hot on Infosecurity Magazine?