Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2020
04:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

DDoS Attacks Nearly Double Between Q4 2018 and Q4 2019

Peer-to-peer botnets, TCP reflection attacks, and increased activity on Sundays are three DDoS attack trends from last quarter.

The number of distributed denial-of-service (DDoS) attacks nearly doubled between the fourth quarter of 2018 and fourth quarter of 2019, researchers found in a new study of DDoS trends.

Last quarter brought an increase in the number of attacks relative to the third quarter of 2019, Kaspersky Labs researchers report, and attacks also lasted longer. This was expected, they said, as the fourth quarter is often a period of "retail warfare," driving cybercrime between October and December. The end of 2018 was "very calm" and set an expectation for a 2019 increase. However, researchers did not notice a spike in DDoS activity around Black Friday or Christmas.

DDoS attackers continued to leverage non-standard protocols for amplification attacks in the last quarter of 2019, researchers found. Adversaries have also adopted Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. This tactic was first spotted in June 2019; by October, attacks were widespread.

The fourth quarter of 2019 brought multiple high-profile DDoS attacks, including threats against financial organizations in South Africa, Singapore, and nations across Scandinavia. DDoS attacks aimed to cause disruption for the United Kingdom's Labour party and also targeted Minecraft servers at the Vatican. In a more recent case, just last week the FBI warned of a potential DDoS attack targeting a state-level voter registration and information site.

"This demonstrates that DDoS is still a common attack method among cybercriminals driven by ideological motives or seeking financial gain, and organizations should be prepared for such attacks and have a deep understanding of how they evolve," researchers said in a statement.

Other notable findings include a rise in "smart" DDoS attacks that focus on the application layer and are launched by skilled attackers. Researchers saw about 28% of DDoS attacks occurred on weekends. Sundays, in particular, proved popular, with 13% of attacks on this day of the week. While it may not seem significant, Sundays have historically been the quietest for DDoS activity and have been growing increasingly popular throughout 2019.

Researchers detected a growing number of peer-to-peer botnets in the past quarter; these operate independent of command-and-control servers and are more difficult to neutralize. One of these botnets, discovered by 360 Netlab researchers, is named Roboto and targets Linux servers. Another, Mozi, typically targets IoT devices and spreads using the DHT protocol.

Some adversaries continue to leverage proven tools and tactics in their DDoS attacks. In the fourth quarter of 2019, researchers saw a wave of TCP reflection attacks in which attackers send requests to legitimate services while appearing as the victim. The victim is overwhelmed with responses; as a result, the attackers' IP addresses don't show alerts.

While the duration of DDoS attacks may have slightly lengthened between the third and fourth quarters of 2019, Imperva data indicated a trend toward cheaper and shorter attacks overall. More than 51% of attacks lasted barely 15 minutes in 2019, and only 10% lasted between 15 to 30 minutes. Experts attribute the shift to more availability and use of DDoS-for-hire services, which let nearly anyone strike targets of their choosing with small attacks for as little as $5.

Researchers anticipate stability in DDoS attacks going forward. "Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth," they wrote in a blog post on their findings. "There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8423
PUBLISHED: 2020-04-02
A buffer overflow in the httpd daemon on TP-Link TL-WR841N V10 (firmware version 3.16.9) devices allows an authenticated remote attacker to execute arbitrary code via a GET request to the page for the configuration of the Wi-Fi network.
CVE-2019-14868
PUBLISHED: 2020-04-02
In ksh version 20120801, a flaw was found in the way it evaluates certain environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Services and applications that allow remote unauthenticated attackers to provide one of those env...
CVE-2019-20635
PUBLISHED: 2020-04-02
codeBeamer before 9.5.0-RC3 does not properly restrict the ability to execute custom Java code and access the Java class loader via computed fields.
CVE-2020-11452
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the f...
CVE-2020-11453
PUBLISHED: 2020-04-02
Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it ...