Attacks/Breaches

Chinese Telecom DDoS Attack Breaks Record

A distributed denial of service siege spanning more than 11 days broke a DDoS record for the year, according to a report from Kaspersky Lab.

DDoS attackers launched a 277-hour attack against a Chinese telecom company in the second quarter of 2017, registering a 131% hourly increase compared to the longest attack recorded earlier this year, according to a report released this week by Kaspersky Lab.

The 2017 DDoS Intelligence Report, which culls data from botnets detected and analyzed by Kaspersky Lab, says that the Chinese telecom siege that spanned more than 11 days is also, so far, a record for the year, demonstrating that long-lasting DDoS attacks have re-emerged.

But pinpointing the reason for this rise is difficult. "There is no explanation why the length grew – such fluctuation happens from time to time," says Oleg Kupreev, lead malware and anti-botnet analyst for Kaspersky Lab.

The most powerful attack that the Kaspersky report notes occurred in the second quarter. It was 20GB per second, Kupreev says, adding that it lasted about an hour and used the connectionless User Datagram Protocol (UDP). Usually, most UDP flood attackers are not more than 4GB per second, he says.

According to a Corero Network Security report, low-volume DDoS attacks still represent a majority of the sieges against networks.

DDoS Attack Footprint Expands

During the second quarter, the number of countries facing DDoS attacks jumped to 86 countries verses 72 in the first quarter, according to the report. The top 10 countries hit with attacks include the US, China, South Korea, Hong Kong, UK, Russia, Italy, France, Canada, and the Netherlands.  

"Online resources in one country can often be located on servers in another country – mostly in China, US, South Korea, and this is why these countries are always among the most targeted," Kupreev says.

Italy posted a 10-fold increase in DDoS attacks while the Netherlands experienced a 1.5x increase, which pushed Vietnam and Denmark off the top 10 list, according to the Kaspersky report.

Ransom Without DDoS Attacks Rise

A popular twist to ransom DDoS attack threats emerged in the second quarter, says Kupreev. Cybercrimminals would distribute their ransom threats to pay up or face a DDoS attack to a large group of companies, he says. But rather than send a short-term DDoS attack to show they mean business, no demo is sent with the hope that the company will pay the ransom on the threat alone, he explains.

"Any fraudster who doesn’t even have the technical knowledge or skill to organize a full-scale DDoS attack can purchase a demonstrative attack for the purpose of extortion," adds Kirill Ilganaev, head of Kaspersky DDoS Protection at Kaspersky Lab. "These people are mostly picking unsavvy companies that don’t protect their resources from DDoS in any way and therefore, can be easily convinced to pay ransom with a simple demonstration."

Despite a growing interest by cyberthieves to conduct a DDoS-less ransom scheme or a full-fledge DDoS Ransom attack, Kupreev says he does not expect this form of extortion to overtake normal DDoS attacks anytime soon.

"The share of 'normal' DDoS attacks will always outnumber RDDoS, as there are many other reasons behind DDoS attacks in addition to money extortion: unfair competition, political struggle, hacktivism, smokescreening etc.," Kupreev says. "Moreover, unavailability of online resources for many companies can be even more damaging than [the] amount of extortion."

Related Content:

 

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jklingel296
50%
50%
jklingel296,
User Rank: Apprentice
10/4/2017 | 11:40:07 AM
More facts about the Chinese telecom company?
Hello,

Does anybody have more facts about the unnamed Chinese telecom company, the damage done by the DDoS attack, and the attackers? I searched the Internet and found nothing.

Best regards

Jan Klingel

 
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.