DDoS-ers Take Down Mitigation Tools in Q1

Cyber-criminals turned up the heat on organizations in Q1 this year with a variety of techniques designed to circumvent DDoS mitigation tools, including multi-vector and high Mpps assaults, according to Imperva Incapsula.

The security vendor claimed in its Q1 2016 Global DDoS Threat Landscape Report that the industry faces an increasing challenge to deal with these more elaborate attacks.

“In the past few months … we have seen more and more attacks orchestrated with mitigation solutions in mind,” wrote Incapsula’s Igal Zeifman in a blog post. “The diversity of attack methods, as well as the experimentation with new attack vectors, suggest that more perpetrators are now re-prioritizing and crafting attacks to take down DDoS mitigation solutions, rather than just the target.”

In this way, the firm has seen an increase in high Mpps network layer DDoS floods, where typically small packets of no more than 100 bytes are fired out at high speed to deluge network switches.

Imperva said it has mitigated one 50+ Mpps attack every four days on average during the quarter.

Attackers are also looking to combine vectors in a single attack to outwit current mitigation strategies – the most common being a high Mpps UDP flood and a bandwidth-consuming DNS amplification attack.

Multi-vector attacks accounted for a third (33.8%) of network layer attacks – a 9.5% increase from the year previous.

On the application layer there was a notable increase in the use of DDoS bots designed to circumvent organizations’ defenses – from just 6% in the previous quarter to 36.6% of total bot traffic in Q1 2016.

“In addition to using more sophisticated bots, we also saw perpetrators explore new ways of executing application layer assaults,” noted Zeifman. “Most notable of these attempts was a HTTP/S POST flood, which used extremely large content-length requests to try and clog the target’s network connection.”

There’s also been an increase in frequency, with half of all targets attacked more than once.

South Korea (29.5%), Russia (10.8%) and Ukraine (10.1%) were the top three attacking countries and the United States (50.3%), the UK (9.2%) and Japan (6.7%) were the most targeted countries.

Zeifman told Infosecurity that DDoS attacks are in some cases still being used as a smokescreen for an attempt to compromise an organization's web app and database.

“However, in other cases, what we see are attackers throwing everything they can at the target in the hopes of finding a soft spot, or simply to cause as much damage as possible,” he added.

“Having said that, the majority of attacks we mitigate are short term bursts, launched by amateurs using DDoS-for-hire services. The motivations for launching these assaults are less thought out. Typically, these are acts of simple vandalism or a part of a cyber extortion campaign. In both cases, the perpetrators' primary goal is to take the target offline and inflict financial and reputational damage – either for bragging rights or for profit.”

What’s Hot on Infosecurity Magazine?