DDoS threatscape getting much worse

These startling figures come from the latest quarterly Global DDoS Attack Report from Prolexic. “It’s quite possible,” notes the report, “that this will be seen as a landmark quarter for distributed denial of service (DDoS) attacks. Never before have attacks been this formidable.” In fact, it’s not the overall number of attacks that has increased (up, but not dramatically from the previous quarter’s high), it is the intensity of the attacks that has changed.

“It’s a classic change up,” says Stuart Scholly, president at Prolexic. “Nearly everyone has been focused on bandwidth and gigabits per second, but it’s the packet rate that’s causing the most damage and presenting the biggest challenge. These packet rates are above the thresholds of all but the most expensive routers and line cards and we are seeing networks buckle as a result.” A side-effect is collateral damage. “Because DDoS attackers are targeting ISP and carrier router infrastructures, overwhelming them with huge packet-per-second floods, your site could go down as collateral damage when a router fails. Even worse, your service provider may blackhole or null route your traffic to save its own network,” warns Prolexic.

One thing that seems clear is that considerable resources are behind attacks of this size, making it seem likely that they are not ‘simple’ hacktivist protests. The latest attacks on Wordpress sites are possibly indicative. While the purpose behind the attacks is not yet clear, the attempt to compromise large numbers of servers rather than home PCs could be an attempt to build a new and more powerful botnet for exactly this type of large scale DDoS attack. “These attacks go beyond common script kiddies as indicated by the harvesting of hosts, coordination, schedules and specifics of the selected attack targets. These indicators point to motives beyond ideological causes, and the military precision of the attacks hints at the use [of] global veteran criminals that consist of for-hire digital mercenary groups.” It adds, “Next quarter, we can expect the largest attacks to continue to come from these infected web servers.”

Unstated, but clearly implied, is the collaboration of nation-state resources with criminal mercenaries – and the potential for the emergence of high power DDoS as a cyber weapon. “It is also notable that this quarter Iran became one of the top 10 countries sourcing malicious traffic. This is very interesting because Iran enforces strict browsing policies similar to Cuba and North Korea.” Again, the implication is that it cannot be done without official sanction or direction. It is noticeable that the continuing large-scale attacks against US banks are claimed by the Izz ad-Din al-Qassam Cyber Fighters – a group that has circumstantially been tied to Iran via Hamas.

Prolexic doesn’t expect things to improve. “It was just September when Prolexic saw that 50 Gbps was an easily attainable attack characteristic. We are now seeing over 10 percent of attacks exceeding the 60 Gbps threshold. Already in Q2 2013, we have mitigated an attack that exceeded 160 Gbps. PLXsert (the Prolexic security engineering and response team) would not be surprised that if by the end of the quarter we saw an attack break the 200 Gbps mark.”

What’s Hot on Infosecurity Magazine?