Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:25 PM
Curtis Franklin
Curtis Franklin
Curt Franklin

DDoS Trends Show Big Impact From Fewer Servers

A change in control networks means that this quarter saw DDoS attacks from fewer endpoints, each having a bigger impact.

Does "quality over quantity" matter when the subject is criminal activity? That's a key question raised by the latest edition of Akamai's Second Quarter, 2017 State of the Internet/Security Report, released this week.

According to the report, issued by the company for nearly a decade, the number of DDoS attacks is up sharply (28%) over the first quarter of 2017, but the number of devices used in the attacks is down even more dramatically -- from an average of 595,000 devices used per attack in Q1 to an average of 11,000 per attack in Q2 -- a drop of 98%.

In a telephone interview with Martin McKeay, Akamai security advocate and senior editor for the report, he told Security Now that the drop in the number of systems used to generate traffic did not mean that the amount of traffic used in the attacks also went down.

"The amount of traffic is comparable to a lot of the Marai attacks but it's being done with a fraction of the number of compromised systems," McKeay said. The difference, he explained, is the rise in the number of attacks making use of a malware variant called PBot to generate the traffic on systems -- and the systems on which PBot runs.

Where Marai took control of IoT end points like thermostats, lightbulbs and other small "smart" devices, PBot looks for larger quarry. "They were using things like Apache web servers and other servers like that," McKeay said. "They're taking advantage of devices or of systems that are designed to have a high bandwidth, designed to be able to respond with a lot of traffic and [where that traffic is] going to be viewed as normal."

The nature of the systems PBot uses has implications beyond just the possible volume of traffic. "Unless you have a SysAdmin that is really paying attention to their systems or seeing slowdowns because of the amount of traffic that PBot is sending, they could maintain control of these for some time," McKeay explained. And ultimately, that control could make for truly massive DDoS attacks.

"If Pbot or some of these other variants start making larger uses of the bandwidth of those systems they have compromised -- if they become more virulent -- then they can actually create much larger attacks," McKeay said. "We saw a 75 [gigabit per second] attack this quarter but it's almost certain that, within the next quarter or two, we're going to see some new attacks that are going to dwarf the attacks that we've seen in the past."

"If you'd asked me a year ago I would probably have expected attacks to be breaching five or six hundred gigs [per second] now. But I've now seen the Marai bot net and I think that by the end of the year it's quite likely that we might see a terabit attack on our network," he said. And that scale of attack is available to a much wider range of criminal actors.

McKeay explained that Akamai researchers have been looking at the command and control structure of the Marai bot net. After studying traffic on the control network for nine months, they were able to reach some conclusions about how the network of zombie traffic generators is being used.

"There's a number of the command and control structures that are hitting one or two maybe five targets. So a relatively small cluster of targets," McKeay said, telling Security Now that this was the sort of pattern you would expect if the developer of a bot net was using the net for their own purposes. "Then you've got a lot of the command and control structures that are sending out commands to hit dozens to 100 or more targets. And what that tells us is that command and control structure is being used as a 'pay for play' or for-rent bot net," he said.

Track the heartbeat of the virtualization movement with Light Reading at the NFV & Carrier SDN event in Denver. There's still time to register for this exclusive opportunity to learn from and network with industry experts -- communications service providers get in free!

Someone who wants to damage the business of a rival or enemy can rent the bot net's services for a few minutes or a day. But the purpose of the network isn't to punish a single target -- it's to be a commercial resource that can be turned to profit for the owner. "They're using it to make money," McKeay said. "I mean, we've known that they existed. We suspected that Marai was being used but this has showed us that it almost certainly is one of the latest in for-pay DDoS attacks."

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...