Report: Increase in botnet-assisted attacks, amplification attacks and multi-day DDoS attacks
A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website, system or other network resource, causing a denial of service for users of the targeted resource. Such attack typically floods the targeted servers, systems or network to sabotage the victim. As the target system slows down or even crashes, it stops legitimate users from using the system. These DDoS attacks can be launched by a wide-range of cyber threat actors, ranging from individual hackers, organised criminals to state actors.
Kaspersky Lab has recently published its report looking at botnet-assisted DDoS attacks for the first quarter of 2018. Experts note an increase in activity by both old and new botnets, growth in the popularity of amplification DDoS attacks and the return of long-lasting, multi-day DDoS attacks.
The following are some of the key findings:
Asia-Pacific is a targeted geography
In the first quarter of 2018, DDoS botnets attacked online resources in 79 countries, with a vast majority of over 95% of these attacks occurred in the top 10 countries. The countries experiencing the largest number of attacks were once again China, the US and South Korea, which all continue to lead in terms of the number of servers available to attackers. Meanwhile, Hong Kong and Japan also replaced the Netherlands and Vietnam among the top 10 most targeted countries.
Types and duration of DDoS attacks
The report found that the share of SYN-DDOS attacks increased slightly from 55.6% to 57.3%, while the share of ICMP attacks almost doubled from 3.4% to 6.1%.
It was also found that after some respite at the end of 2017, sustained attacks returned, with the longest one lasted for 297 hours, or over 12 days. The share of all other sustained attacks of 50 hours or more increased by more than six times to 0.63%.
At the other end of the spectrum, the share of the shortest attacks of 9 hours or less also grew, accounting for over 91% of all attacks in the first quarter of 2018.
Meanwhile, the number of attacks lasting between 10 hours and three days in the latest quarter almost halved from 14.9% to 7.8%.
According to the report, in first quarter of this year saw a significant increase in both the total number and duration of DDoS attacks against the last quarter of 2017. The hike is largely due to the new Linux-based botnets Darkai (a Mirai clone) and AESDDoS.
The number of now-familiar Xor attacks also rose. Neither did Windows-based botnets remain idle, making some headway against Linux in the total number of attacks. The share of Linux botnets last quarter fell slightly compared to the end of 2017, down to 66% from 71%, while the share of Windows-based botnets climbed from 29% to 34%. The old Yoyo botnet was particularly lively, almost five times as active.
What organisations can do to boost their DDoS defence
"Exploiting vulnerabilities is a favourite tool for cybercriminals whose business is the creation of DDoS botnets. However, as the first few months of the year have shown, it’s not only the victims of DDoS attacks that are affected, but also those companies with infrastructure that includes vulnerable objects. The events of the first quarter reaffirm a simple truth: the platform that any company uses to implement multi-layered online security must include regular patching of vulnerabilities and permanent protection against DDoS attacks,” comments Mr Alexey Kiselev, Project Manager on the Kaspersky DDoS Protection team.
As botnet attacks evolve, cybersecurity defence must be updated too. Kaspersky DDoS Protection combines Kaspersky Lab’s extensive expertise in combating cyberthreats and the company’s unique in-house developments. The solution protects against all types of DDoS attacks regardless of their complexity, strength or duration. To reduce the risk of vulnerabilities being used by cybercriminals for DDoS attacks, Kaspersky Endpoint Security for Business provides a vulnerability and patch management component. It allows businesses to automatically eliminate vulnerabilities in infrastructure software, proactively patch them, and download software updates.
Is your organisation getting the protection it deserves? Download white paper here to find out more.