DDoS attacks: another year on the dark side

cyber crime

It’s that time of year again. Time to look back on 2018 for notable IT security trends and events. All in all, 2018 has been another year of growth in DDoS attacks and remarkable—if twisted—ingenuity on the part of DDoS attackers.

2018: the year of more

This year has been significant for more of everything DDoS-related. Peak attack volume, variety of techniques, complexity…you name it. Specifically, the record shows:

  • Highest attack volumes on record. In February and March, high-volume DDoS attacks plastered a code platform website and a DNS services vendor with 1.3 Tbps and 1.7 Tbps torrents of junk traffic. This is a 183-percent increase compared to two years ago.
  • More attack techniques. DDoS attacks come in a variety of shapes and sizes. DDoS attacks crash hardware or flood services. But currently, attackers use 21 different techniques to do their dirty work.
  • Greater attack persistence. The one-off DDoS attack is losing favor of cyber-attackers. Attacks are more persistent—they hammer the same targets again and again. In fact, of the organizations hit with DDoS attacks, a third are targeted at least 10 times.
  • More complex exploits. Attackers now throw multiple waves of junk traffic at targets. Or, they combine different techniques such as application-level attacks to the more familiar volume-based exploits.
  • More resources for attackers. Why are DDoS attacks getting more powerful and sophisticated? In part, it’s the easy availability of DDoS-for-hire services and increasingly sophisticated attack methods. Simply put, DDoS attacks are relatively easy and cheap to do. Even novice hackers can lay waste to targets with a swipe of their credit cards.

These trends made this year’s security news an interesting read. Here are five memorable attack-related events.

5 notable DDoS-related attacks

It’s a year-end tradition to note past IT events, usually in superlatives—the biggest, the longest, etc. Instead, the following list provides notable DDoS attacks. Some are notable because they were the biggest. But others focus attention on new types of attacks, cybercrook creativity, or other DDoS-related trends.

1. Solo teenager brings down Dutch banks and tax office

In February, massive DDoS attacks shut down services at Dutch banks Rabobank and ING, the Dutch Tax Office, and a government services portal.

At first, authorities thought that Russian entities were the culprit. But as officials gathered evidence, they reconsidered. It seems that the attacker was a local boy, an unrepentant local teenager named Jelle S. A repeat offender, the accused proved that DDoS attacks have become easy to do. The talented teenager was caught, but even working alone, he shut down banks and government agency services.

2. World-record amplified DDoS attack

Think of amplified DDoS attacks as “volumetric-plus” attacks. The volumetric attack was a massive DDoS exploit aimed at the Github developer community website. The “plus” was intelligent malware, which used AI and self-learning algorithms.

The malware targeted servers installed with copies of Memcached, a popular data storage tool. The tools were poorly secured and exposed to the internet, a major IT security mistake. The malware amplified the usual flood of DDoS junk traffic many thousands of times. (Typical amplification factors for Memcached servers are 50,000 to 1!) The result: record-breaking peak traffic of 1.35Tbps. Five days later, in March 2018, a similar attack on an unnamed U.S. IT company broke this record again. This time, the peak traffic was 1.73 Tbps.

3. Multi-stage attacks on cryptocurrency exchange

The variety and power of DDoS attacks might have increased, but one trend remains the same: most DDoS attacks are still garden-variety brute-force exploits. But this trend is changing. More and more attacks involve one or more volume-based attack and one or more other types of attack.

A recent example of volume-based DDoS attacks shut down trading at Bitfinex, one of the world’s largest cryptocurrency exchanges. At first, analysts viewed the exploit as a one-off attempt to manipulate the price of Bitcoin Gold, a variant of the popular Bitcoin Core currency. But later, the second wave of junk traffic indicated that it was a multi-stage attack. There was no stolen data or lasting harm, but users and investors put Bitfinex credibility under the microscope.

4. A new Mirai botnet and application-layer attacks

If volume-based attacks are the over-the-top version of DDoS, application-level attacks take the low-and-slow approach. Application-layer exploits happen when a hacker looking for vulnerabilities finds them in an installed web app. The intruding malware bombards business applications with a stream of requests that seem legitimate. This continues until the app stops responding and goes offline.

Although a new variant of Mirai botnet malware isn’t alive, it has definitely evolved. The original Mirai malware caused great pain in network-layer (volume-based) DDoS attacks. In its new form, it created a massive, 54-hour application-level attack. Damage: Security researchers didn’t say. The attacker: unknown. The target: an unnamed university in the United States.

What is known? Ninety percent of application-level attacks last less than 6 hours. Malware behavior and the traffic volume indicate that the malware was a Mirai variant. The malware controlled an application-layer attack. And, attack traffic came from more than 10,000 unique IP addresses in the United States, Taiwan, India, and Israel.

5. First malware in ARC processors

Creators of the original Mirai botnet were captured earlier this year. While trying to avoid arrest, they released the Mirai source code, and voila! Mirai variants spread around the world. In January, security researchers from Malware Must Die reported finding an ARC core processor embedded with Mirai (Okiru type) malware, which targets IoT devices.

Argonaut RISC Core embedded processors are the world’s second-most-popular CPU core. Every year, manufacturers add more than 2 billion of these processors to products, such as cameras, mobile phones, smart TVs, and automotive devices. Infecting ARC processor cores with malware gives botmasters more potential ammunition and IT security pros around the world more sleepless nights.

What’s the takeaway from our wild year of DDoS mayhem? Massive volume-based attacks happen, but strong website defenses can keep them at bay. Botnet malware is getting more complex and into more embedded (and poorly secured) devices. And, DDoS attacks are easier than ever to do. These are not the ingredients of a happy new year.