The third quarter saw the sheer volume of distributed denial-of-service (DDoS) attacks surge to several thousand hits per day, signaling a re-distribution of tactics by malicious actors away from cryptomining and toward the use of DDoS as a tool of intimidation, disinformation and straight-up extortion.
The latest DDoS report for Q3 from Kaspersky details a record-breaking frenzy of recent activity by threat actors.
“July started off relatively quietly, but towards the middle of the month the average daily count of DDoS attacks exceeded 1,000, with a whopping 8,825 attacks on August 18,” the report said. “For two more days, August 21 and 22, the daily count of five thousand was exceeded and over three thousand attacks were detected on August 2 and 6, September 16, 18, 19 and 22.”
And while the volume of DDoS attacks spiked, their duration declined, the researchers found.
“This may be due to the decreasing number of attacks lasting 50 hours or more and a rise in relatively short attacks,” the report added.
Middleboxes and Unavailable Ports
The third quarter also ushered in two new DDoS attack vectors, the analysts found.
During Q3, a team from the University of Maryland and the University of Colorado at Boulder figured out how to exploit TCP protocol to attack security devices like firewalls, deep packet inspection (DPI) tools and network address translators (NAT); often called “middleboxes” because of their position between the client and server.
“If a request for access to a banned resource is sent under the guise of the victim, the response from a middlebox can be significantly larger,” the Kaspersky report said. “As such, the researchers found more than 386,000 devices giving an amplification factor of over 100, with more than 97,000 of them over 500, and 192 of them over 51,000.”
Another new attack first identified by Nexusguard named Black Storm bombards communications service provider (CSP) networks with requests to access to closed ports.
“Processing these messages consumes a lot of resources, which overloads victim devices and prevents them from accepting legitimate requests,” the Kaspersky report said. “The researchers note that this method allows an attacker to take down not only individual servers, but the provider’s entire network, including a large one.”
Mēris Botnet
First found by Yandex and Qrator Labs, Mēris is able to send an enormous number of requests per second, and claimed victims including cybersecurity media sites Krebs on Security and Infosecurity, plus New Zealand banks, post mail service and the country’s MetService weather service.
Other notable DDoS events during the quarter included attacks on VoIP providers in Britain, Canada, and the U.S; a ransomware attack on Bitcoin.org; the targeting of Russian newspaper Vedomosti; the shutdown of gaming servers in Europe for Final Fantasy XIVl; and many more.
More than 40 percent of DDoS attacks during the third quarter targeted operations in the U.S., followed by Hong Kong (15 percent) and China (7.74 percent), the report found.
Stefano De Blasi told Threatpost that researchers from Digital Shadows have seen an uptick in threat actors combining DDoS attacks with extortion demands over the past two years, which could be a sign of more to come, De Blasi said.
“Different motivations can lie behind a DDoS attack,” De Blasi told Threatpost. “Cybercriminals typically conduct DDoS operations to temporarily disrupt a target’s infrastructure or act as a decoy for more dangerous activity, but companies affected by high-intensity DDoS attacks may experience a long-time interruption of business, which in turn may cause financial loss, brand or reputational damage, and influence customer trust.”
DDoS vs. Cryptomining Computing Power Allocation
The Kaspersky team explained in the report that the ecosystem of botnet computing power is pulled between cryptocurrency mining and powering DDoS botnets. Counterintuitively, this quarter saw growth in DDoS attacks even while cryptocurrency prices are still high.
“Now, judging by the growing DDoS market against the backdrop of consistently high cryptocurrency prices, attackers have started to allocate their resources differently,” the report said. “And this is quite logical: DDoS services are in demand, and the prolonged supply shortage has likely led to an increase in prices in this market, making it profitable for botnet operators to resume attacks. As such, the DDoS market seems to be returning to the growth rate we saw in late 2019.”
With predictions indicating more DDoS attacks on the way, it’s up to organizations to mount a defense and protecting internet of things (IoT) devices connected to public networks from being hijacked and turned into botnets, Ben Pick, a consultant and nVisum told Threatpost.
“Organizations can protect themselves by applying intermediate tooling at network boundaries, Pick said. “Most cloud services include security tools to mitigate or outright prevent DDoS attacks. Utilizing a specific tool is a better protection apparatus than spinning up resources to accommodate the additional network bandwidth, as that can cause massive impacts to the overall infrastructure costs.”
Cybersecurity for multi-cloud environments is notoriously challenging. OSquery and CloudQuery is a solid answer. Join Uptycs and Threatpost on Tues., Nov. 16 at 2 p.m. ET for “An Intro to OSquery and CloudQuery,” a LIVE, interactive conversation with Eric Kaiser, Uptycs’ senior security engineer, about how this open-source tool can help tame security across your organization’s entire campus.
Register NOW for the LIVE event and submit questions ahead of time to Threatpost’s Becky Bracken at becky.bracken@threatpost.com.