How the DDoS threat is growing and changing
The largest DDoS ever seen, peaking at 620Gbps, targeted Brian Krebs in September 2016.
Within days, security luminary Bruce Schneier wrote, Someone Is Learning How to Take Down the Internet. And sure enough, within a couple of days a new wave of huge attacks disrupted whole sections of the internet in what is known as the Dyn DDoS.
Starting on October 21st, 2016, the DNS service provider Dyn was subjected to two successive, connected DDoS attacks, using what it estimated as at least “100,000 malicious endpoints”. These attacks caused huge disruption to internet services, affecting a wide range of websites – and the world braced itself for an unknown future.
The attacks were made possible by the inadequate security built into the rapidly growing internet of things (IoT). Criminals were able to compromise and co-opt hundreds of thousands of these devices, particularly routers and cameras, into what is known as the Mirai botnet. The sheer size of this botnet makes it a very serious, potentially catastrophic, threat; and it’s still growing. On July 21st, 2017, a hacker known as BestBuy pleaded guilty to hijacking over 900,000 Deutsche Telekom routers to provide firepower for his own Mirai-based botnet.
By the end of 2016, experts were predicting serious internet disruptions for 2017. So far, that hasn’t happened; but IoT security has not been improved, and Mirai undoubtedly continues to grow. The new Akamai Q2 State of the Internet report, published on Tuesday, 22 August 2017, says that, following a quiet first three months, DDoS attacks grew rapidly during the second three months – in fact, they grew by a staggering 28%. But there is one major difference – while the quantity and frequency of attacks has grown, their size has reduced.
The potential for huge attacks remains. Apart from Mirai, Akamai notes the growth of Pbot botnets. These differ from many other botnets by infecting webservers rather than endpoint devices. Webservers give the botnet much more power, and a relatively small Pbot botnet can deliver a strikingly large-scale attack. Indeed, Akamai monitored one such attack against a financial institution that peaked at 75Gbps from just 400 nodes.
Websites and webservers are easy targets for hackers. There are huge numbers of poorly protected blog sites run by amateurs and hosted on shared servers. Few of the administrators look at their logs – but if they did so, they would see daily brute-force attacks against their administrator passwords. The threat from compromised webservers delivering new large-scale attacks will only get worse.
Meanwhile, the nature of Mirai attacks seems to have changed. While it is often thought of as one big botnet, in reality it is many different Mirai-using botnets, each with their own C&C controller. Combined, it could be massive; in practice, it comprises many smaller botnets operating independently. According to Akamai, these botnets launch short-lived attacks, die down, and are later reactivated with a completely different target. Akamai believes this is typical 'pay-for-play' activity that supports the idea that DDoS attacks have been commoditized.
This is a different type of threat to that which afflicted the internet in the latter part of last year. It doesn't mean that huge attacks by criminal gangs, hacktivists or even nation states have gone away forever; but they are now augmented by a new problem – the disgruntled, angry or simply malicious individual who can hire a botnet at low cost for a short period simply to vent his anger against a real or imagined rival.
A 2015 research paper analysed the easy, low-cost access to DDoS attacks via ‘Booter’ networks, offering targeted DDoS attacks to subscribers, for as little as $10 USD per month. Mirai seems to be continuing this trend.
With so many potential targets and now so many potential aggressors, it would be useful to be able to predict attacks based on motive – but this is virtually impossible. "There are many factors which affect the motives behind DDoS attacks," comments Akamai senior director Joe Coley, "and they vary wildly depending on the target. However, the most common motivation often sees individuals looking for ‘street cred’ from fellow hackers or trying to extort a business by threatening to take them offline. Hackers also use DDoS attacks as a cover for other illegal activities. For example, hackers can DDoS a site then redirect customers away to a fake site using DNS poisoning. In doing so, unsuspecting users may not realise the redirection and input their personal details, effectively handing them over to the hackers."
Targets vary as much as perpetrators. "DDoS attacks affect almost every vertical," Coley continues, "ranging from financial and governmental sites, to gambling and education – and hackers will have different motivations for targeting each. This makes it difficult to predict where attacks will come next based on previous behaviour, although some sites will always be targeted more than others such as gaming and finance because of the value."
But if the commoditization of DDoS is genuine, we may have a new target and a new attacker: the non-technical man-in-the-street with a grudge against anything or anyone.