DDoS attacks in Q3 2019

[harlan4096]

News overview

This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out by spoofing the return IP address through the WS-Discovery multicast protocol. According to other security researchers, cybercriminals started using this method only recently, but have already achieved an attack capacity of up to 350 Gbps. The WSD protocol has limited scope and is not generally intended for connecting machines to the Internet; rather devices use it to automatically discover each other on LANs. However, it is fairly common for WSD to be used not entirely for its intended purpose in a variety of equipment — from IP cameras to network printers (about 630,000 such devices are currently hooked up to the Internet). Given the recent rise in the number of WSD-based attacks, owners of such devices are advised to block on the server UDP port 3702, which is used by this protocol, and to take a number of additional steps to protect their routers.

Another new tool in the hands of DDoSers was detected by our colleagues at Trend Micro in the shape of a new payload distributed through a backdoor in the data search and analytics tool Elasticsearch. The malware is dangerous because it employs a multi-stage approach to infection, successfully avoids detection, and can be used to create botnets for launching large-scale DDoS attacks. Trend Micro recommends all Elasticsearch users to upgrade to the latest version, since the backdoor has already been patched.

That said, cybercriminals are far more likely to turn to proven techniques than to try out new ones. For instance, when last year the FBI took down a number of inexpensive DDoS-for-hire sites, new ones immediately sprang up in their place, and today the threat is more acute than ever. According to some reports, the number of attacks carried out with their assistance increased by 400% against the previous quarter.

It is highly likely that the attack on World of Warcraft Classic, launched in early September in several waves was organized through such a service. Before each episode, a certain Twitter user warned of the impending attack. Blizzard later announced the arrest of the mastermind, although whether it was the owner of the corresponding Twitter account remains unclear. But if so, it is hard to escape the conclusion that, far from being a member of a spin-off hacker group, it was a client of a DDoS-for-hire service.

Using another tried-and-tested method (a botnet similar to Mirai — or one of its clones), a 13-day application-level attack was unleashed in July against a streaming service with a capacity of up to 292,000 requests per second. The attack involved about 400,000 devices, mainly home routers.

But whereas the motives behind these two attacks can only be guessed at, two other attacks that took place this summer and fall were almost certainly politically driven. Thus, August 31 saw the targeting of LIHKG Forum, one of the main websites used by protesters in Hong Kong to coordinate their actions. According to the site owners, it was hit by 1.5 billion requests in 16 hours, taking it temporarily offline and causing the mobile app to malfunction.

Soon after that, an attack was conducted on Wikipedia. It began on the evening of September 6 and made the world’s largest online encyclopedia temporarily unavailable to users in various countries of Europe, Africa, and the Middle East. Wikipedia gets hit quite often, but this attack was exceptional in terms of capacity (exact figures are not available, but unofficial sources say more than 1 Tbps) and duration (three days).

The attack organizers remain at large, but several other investigations over the past quarter did reach their logical conclusion. For instance, in early July a US federal court sentenced a certain Austin Thompson of Utah to 27 months in prison and a fine of $95,000 for an attack on Daybreak Game Company (formerly Sony Online Entertainment). And on September 6 another cybercriminal, Kenneth Currin Schuchman of Washington State, admitted his involvement in setting up the Satori IoT botnet.

On the topic of law enforcement efforts, mention must be made of one other piece of news that highlights the importance of prevention in the fight against DDoS attacks. For several quarters now, the section on global botnet activity in our report has featured countries that just a couple of years ago were unlikely contenders to make the ratings. Moreover, the shares of other countries previously beloved of cybercriminals have been falling. This trend was also noted by TechNode, backed up by data from Nexusguard and the World Bank. Our colleagues pinpoint two factors to explain the situation. First, countries once collectively referred to as the Third World have seen rising living standards. More and more residents there are acquiring smartphones and broadband routers — that is, devices that most botnets are made from. Second, in regions where cybercriminals have been plying their trade for a long time, cybersecurity awareness is on the up, and more effective measures are being taken to protect devices, including at the provider level, which means that attackers are having to search for pastures new. This is what is changing the face of our lists of regions by number of cyberattacks.

Quarter trends

Q3 typically sees a lull in DDoS activity over the summer months, followed by a September spike associated with the start of the academic year. This year was no exception.

According to data from Kaspersky DDoS Protection, the number of smart attacks (that is, ones more technically sophisticated and requiring more ingenuity) declined significantly in Q3 against the previous quarter. However, comparing this indicator with the same period last year, we see more than double growth. The prediction made in previous reports is clearly coming true: the DDoS market is stabilizing for smart attacks too. With this in mind, it will be extremely interesting to see the Q4 results.

This stabilization of the market, where growth has been observed throughout the year, is also evidenced by the fact that the average duration of smart attacks is practically unchanged since Q2, yet almost double against Q3 2018. At the same time, the average duration of all attacks fell slightly due to the overall increase in the number of short-lived DDoS sessions.

The giant leap in the maximum duration of attacks on the graph comes from one very long smart attack that we observed this quarter. That this is just a curious anomaly is clearly visible from the medium-length columns.
The ratio of smart attacks to the total number of offensives almost halved against the previous quarter but increased by 7 p.p. compared to Q3 2018; the decline in the share of smart attacks against the end of H1 is due to the quirks of September’s statistics.

Like last year, the arrival of September went hand in hand with a significant rise in the number of DDoS attacks. Moreover, this month accounted for 53% of all Q3 attacks, and it was only because of September that any growth in general was observed.

What’s more, 60% of DDoS activity in the early fall was directed at education-related resources: electronic grade books, university websites, and the like. Against the backdrop of such attacks, most of which are short and poorly organized, the share of smart attacks in Q3 sank by 22 p.p.

We observed a similar picture last year, since it is due to students returning to school and university. Most of these attacks are acts of cyber hooliganism carried out by amateurs, most likely with no expectation of financial gain.

Note that the total number of attacks in September 2019 versus September 2018 increased by 35 p.p., while the total number of attacks in Q3 2019 compared to Q3 2018 climbed by 32 p.p. That is, these figures are roughly the same, while the difference in the growth indicators for the number of smart attacks is far greater: whereas the total number of smart attacks increased by 58 p.p., the number of smart attacks in September rose by only 27 p.p., and the month’s share of smart attacks even declined by 3 p.p. This confirms once again the extent to which September skews the overall statistical picture.
...

Continue Reading