Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/24/2019
06:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

DDoS-for-Hire Services Doubled in Q1

Impact of FBI's takedown of 15 'booter' domains last December appears to have been temporary.

New data published this week demonstrates the troubling resilience of cybercriminals against mounting domestic and international efforts to stop them.

Nexusguard analyzed data gathered from multiple public and proprietary sources on distributed denial-of-service attacks during the first quarter of this year. The security vendor discovered that so-called booter websites offering DDoS services for hire more than doubled that quarter compared to the fourth quarter of 2018 - despite a major law enforcement crackdown on such sites in December.

DNS amplification attacks—one of the most popular booter services—soared 40% quarter-over-quarter amid uninterrupted demand among cybercriminals. Many of the DNS amplification attacks—where DNS servers are tricked into generating responses that are much larger than the original queries—targeted ISPs and telecommunications firms in Brazil.

Nexusguard's analysis also showed a continued trend toward what it calls bit-and-piece DDoS attacks, where threat actors contaminate a large and diverse pool of IP address with almost negligible sizes of junk traffic that converge and block a targeted IP.

Such attacks can be hard to mitigate because of the negligible size of the DDoS traffic being routed through each one of the hundreds of IP addresses used in an attack, says Donny Chong, product director of enterprise security solutions at Nexusguard. 

"This form of attack hurts the service providers the most as it threatens to congest a service provider's pipe and causes widespread collateral damage for anyone on this pipe," he says.

In the first quarter of this year, such attacks became more automated and targeted, indicating that attackers have figured out how to launch them optimally, Nexusguard said in its report.

The growing popularity of bit-and-pieces attack may have also contributed to DDoS attack sizes overall—both average and peak—decreasing last quarter, Chong says. The maximum DDoS attack size that Nexusguard observed in Q1 of 2019 was 145.4GBps—a nearly 55% drop year over year. Average attack size at 0.823Gbps was almost 95% smaller than in Q1 of 2018.

Meanwhile, the trend toward the use of mobile devices and mobile botnets in DDoS attacks continued in the first quarter of 2019. Nexusguard's data shows that more than six-in-10 DDoS attacks in Q1 targeted at the application layer originated from mobile gateways. The average duration of DDoS attacks involving mobile botnets was around 531 minutes, compared to 187 minutes last year. About 40% of DDoS attacks involving mobile devices originated from Android phones, while about 21% were from iOS devices, Nexusguard found.

"The resurgence of booters, the optimization of bit-and pieces and mobile sources overtaking desktop computers, are significant findings," Chong says. But they are not unexpected. "If anything, it's more a confirmation of the trend and evolution that we're seeing."

Booter Services Back With a Vengeance

The resurgence of booter sites in particular is notable. Last December, the FBI—in collaboration with international counterparts—seized 15 Internet domains associated with some of the world's largest DDoS-for-hire-services.

Among the seized domains was Downthem, which either carried out or attempted to carry out, around 200,000 DDoS attacks between 2014 and 2018. Another seized domain—Quantum Stresser—had some 80,000 subscribers dating back to 2012 that in 2018 was used to launch over 50,000 actual or attempted attacks against targets around the world.

The FBI's pre-Christmas 2018 crackdown succeeded in slashing the overall number of DDoS attacks globally by 11%, and average attack size by as much as 85% percent in Q4 last year.

However, Nexusuard and others at that time warned about a rebound in booter services due to the strong and growing demand for them in the cyber underworld. The latest numbers appear to confirm that expectation. "The resurgence of DDoS-as-a-service and the growing botnets reinforce the evolving cyber threat of DDoS attacks for enterprises and communications service providers," Nexusguard said in the report Monday.

The same pattern has played out numerous times over the years. Law enforcement authorities in the US and other countries have taken down major underground marketplaces and dismantled organized groups engaged illicit activities online, only to see others swiftly replace them.

The recent takedown of the xDedic marketplace for stolen servers, for instance, and the similar shutdowns of AlphaBay and Hansa Market in 2017, represented huge wins for law enforcement. Yet the malware and other hacking tools and services once available on these sites now are sold on smaller, decentralized sites and other avenues.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.