DDoS Attacks Wane in Q4 Amid Cryptomining Resurgence

botnet ddos

The volume of attacks fell 31 percent in the last part of 2020, as Bitcoin values skyrocketed. But there were still several notable trends, such as a rise in Linux botnets.

Distributed denial-of-service (DDoS) attacks dropped significantly at the end of 2020, down 31 percent in the fourth quarter, according to researchers. The reason? Cybercriminals have switched their efforts (and their botnets) to cryptomining.

According to an analysis from Kaspersky published Tuesday, cybercriminals began repurposing infected devices for cryptomining in response to rising cryptocurrency values.

“A surge in cryptocurrency costs may have prompted cybercriminals to re-profile some botnets so that the command-and-control (C2) servers typically used in DDoS attacks could repurpose infected devices and use their computing power to mine cryptocurrencies instead,” researchers said.

DDoS Trends in Q4 2020

DDoS of course didn’t go away – as people spent more time online in 2020, researchers observed a corresponding spike in DDoS attacks for most of the year. And in the fourth quarter, attacks schools in Sandwich and Tyngsboro, Mass., Telenor Norway and Laurentian University in Canada, according to Kaspersky. Online gaming services also continued to suffer DDoS attacks during the analyzed period.

Q4 2020 attacks were down 31% but still up 10% year-over-year. Source: Kaspersky

“The number of DDoS attacks was still 10 percent higher than the same period the year before, but overall reflected a declining trend, after attacks spiked dramatically in response to global lockdown measures earlier in the year,” analysis explained.

They added, “Cybercriminals used the names of well-known APT groups to intimidate victims, demanded ransoms in cryptocurrency, and carried out demonstration attacks to back up their threats.”

Another notable attack in December targeted the website Bitcoin.org, which hosts Bitcoin Core, one of the most widely used software versions of Bitcoin.

“While the resource was down, cryptocurrency newbies were invited to download a copy of Bitcoin Core via a torrenting service,” according to the report. “Most likely, the attack is related to the Bitcoin price, which has steadily risen over the past quarter. According to one of the developers behind Bitcoin.org, the site is always hit whenever Bitcoin is on the up.”

Attacking Citrix ADC

Interestingly, the DDoS perpetrators also began abusing Citrix application delivery controller (ADC) devices – specifically taking advantage of the interface for Datagram Transport Layer Security protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent.

Notable DDoS trends for Q4. Click to enlarge. Source: Kaspersky.

“To amplify the attack, the attackers sent requests to devices with the DTLS interface enabled, spoofing victims’ IP addresses,” according to Kaspersky. “Consequently, the victims received reply packets several times larger in size. In the case of Citrix devices, the amount of junk traffic could increase by up to 36 times. After the attacks came to light, the manufacturer promptly released a firmware update for configuring verification of incoming requests. For those who do not use DTLS, it is recommended to simply disable this protocol.”

Kaspersky also found that there were no unexpected changes in the geographical distribution of DDoS attacks and targets. However, the top attack types shifted significantly: “The share of UDP flooding was up; ICMP attacks were displaced by GRE flooding. In addition, for the first time in our observation history, Linux botnets have almost totally captured the DDoS market.”

DDoS Predictions for 2021

The macro-trends shaping 2021, such as the pandemic and cryptocurrency prices, remain unpredictable, Kaspersky noted. Thus when it comes to forecasting the current quarter’s trend, researchers offered only a tentative assessment: A period of stability, with no major growth or decline, both in Q1 and throughout 2021.

“The DDoS attack market is currently affected by two opposite trends,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “On the one hand, people still highly rely on stable work of online resources, which can make DDoS attacks a common choice for malefactors. However, with a spike in cryptocurrency prices, it may be more profitable for them to infect some devices with miners. As a result, we see that the total number of DDoS attacks in Q4 remained quite stable. And we can predict that this trend will continue in 2021.”

How to Protect Against DDoS Attacks

To stay protected against DDoS attacks, Kaspersky researchers noted that in addition to putting resources and technology in place, businesses should also validate third-party agreements and contact information, including those made with internet service providers.

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.


Suggested articles