DDoS toolkits boost attacks in first quarter of 2014

DDoS toolkits boosted amplification attacks in the first quarter of the year, according to Prolexic report

The average peak bandwidth of distributed denial of service (DDoS) attacks increased by 114% from the last quarter of 2013 and the first quarter of 2014, a report has revealed.

Attackers chose reflection rather than infection techniques to achieve larger attacks, according to the latest global DDoS attack report by Proxlexic Technologies, now part of Akamai Technologies.

“In the first quarter, DDoS attackers relied less upon traditional botnet infection in favour of reflection and amplification techniques,” said Stuart Scholly, senior vice-president and general manager of security at Akamai.

“Instead of using a network of zombie computers, the newer DDoS toolkits abuse internet protocols that are available on open or vulnerable servers and devices,” he said.

This well-established trend raises concerns that this approach could lead to the internet becoming a ready-to-use botnet for malicious actors.

Prolexic found the most abused protocols include Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS).

These protocols, all based on the User Datagram Protocol (UDP), may be favoured, as they allow attackers to hide their identity.

Amplification-based attacks are popular with attackers because they can deliver a massive flood of data at the target while requiring only a relatively small output from the source.

According to Prolexic, new reflection and amplification attack tools can deliver a powerful punch.

The report said that the first quarter saw a 39% increase in average bandwidth and the largest-ever DDoS attack to cross the Prolexic DDoS mitigation network.

This attack involved multiple reflection techniques combined with a traditional botnet-based application attack to generate peak traffic of more than 200 gigabits per second (Gbps) and 53.5 million packets per second.

This first quarter of the year also saw more than half of the DDoS attack traffic aimed at the media and entertainment industry, which was targeted by 54% of the malicious packets mitigated by Prolexic during active DDoS attacks in the first quarter.

Comparing the first quarter of the year with the same period in 2013, the report showed:

  • 47% increase in total DDoS attacks
  • 9% decrease in average attack bandwidth
  • 68% increase in infrastructure (layer 3 & 4) attacks
  • 21% decrease in application (layer 7) attacks
  • 50% decrease in average attack duration: 35 v 17 hours
  • 133% increase in average peak bandwidth

Comparing the first quarter of the year with the last quarter of 2013, the report showed:

  • 18% increase in total DDoS attacks
  • 39% increase in average attack bandwidth
  • 35% increase in infrastructure (layer 3 & 4) attacks
  • 36% decrease in application (layer 7) attacks
  • 24% decrease in average attack duration: 23 v 17 hours
  • 114% increase in average peak bandwidth

The report said innovation in the DDoS marketplace has given rise to tools that can create greater damage with fewer resources.

The first quarter's high-volume, infrastructure-based attacks were made possible by the availability of easy-to-use DDoS tools from the DDoS-as-a-service marketplace.

These tools are designed by malicious hackers to deliver greater power and convenience into the hands of less skillful attackers. 

For example, in the first quarter, NTP reflection attacks surged, probably owing to the availability of easy-to-use DDoS attack tools that support this reflection technique.

The NTP flood method went from accounting for less than 1% of all attacks in the previous quarter to reaching almost the same popularity as SYN flood attacks, a perennial favourite among DDoS attackers.

Neither CHARGEN nor NTP attack vectors were detected in the first quarter of 2013, but accounted for 23% of all infrastructure attacks mitigated by Prolexic in Q1 2014.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.