Volumetric Attacks and the IoT Dominate DDoS Scene

Three out of every four distributed denial of service (DDoS) attacks employed blended, multi-vector approaches in the second quarter of 2017, tapping the internet of things (IoT) and ramping up the volume.

That’s according to Nexusguard’s Q2 2017 Threat Report, which measured more than 8,300 attacks. It found that 23.68% of attacks targeted a single vector, while the rest (76.32%) were blended, multi-vector attacks.

The analysis also showed that hackers continued to rely on volumetric attacks to overwhelm system resources.

For example, user datagram protocol (UDP)-based attacks increased by 15% in the quarter, accounting for 77% of attacks. These largely targeted hijacked connected devices, and overtook SYN, HTTP Flood and other volumetric attacks in popularity. The average attack rated 4.63Gbps in size.

“UDP Flood was by far the quarter’s most common DDoS method, surging 168% over Q4 2016,” the firm noted in the report. “The goal of the attacker is to overwhelm system resources, disabling end-users from accessing them. Oversized UDP packets in vast numbers are sent to random ports on the victim’s system. When no application is available to “listen” at the port, the system replies with an Internet Control Message Protocol (ICMP) destination unreachable packet. Consequently, if a large number of UDP packets is handled, the victim will be forced to send numerous ICMP packets. In most cases, these attacks are accomplished with spoofed IP addresses that mask the attacker’s source address. Moreover, UDP Flood can be manipulated to leverage an amplification factor to increase the attack size  exponentially.”

IoT networks meanwhile continued to be targeted by DDoS attacks during Q2, including a new botnet, Persirai, which attacked more than 1,000 different models of IP cameras.

“The recent spread of IoT botnets is thought to be behind the substantial growth in UDP-based attacks,” the report noted. “Owing to their lightweight nature, most are currently capable of only generating plain-vanilla UDP Flood attacks. But as IoT devices continue to advance, it is believed that botnet-driven DDoS attacks will soon grow significantly in size and in frequency.”

And in terms of geography, as DDoS extortionist gangs became increasingly active in several European countries, Switzerland made its first-ever appearance in the top three DDoS attacker countries. Nexusguard analysts found China was the leading source of DDoS attacks, originating 34% of the attacks measured and bumping the US to second place as the source of 21% of DDoS attacks.

Within the Asia Pacific region, about 75% of attacks originated from China, 11% from Hong Kong and 3.5% from Australian IP addresses.

“UDP attacks can frequently act as smokescreens over other malicious behavior, such as efforts to execute remote codes, malware or compromise personally identifiable information,” said Juniman Kasman, CTO for Nexusguard. “Due to the speed with which UDP attacks can overwhelm DNS servers and hijack IoT devices, rapid detection and response is critical for overcoming these types of attacks.”

Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/

What’s Hot on Infosecurity Magazine?