DDoS attacks are still a danger, even during the lull period

Memcaching might have gone away but beware the rise of Mirai clones.

Distributed Denial of Service (DDoS) attacks – where attackers seek to take down a website or application by flooding it with requests – may well be old, but they never go away.

There were around 7.5 million DDoS attacks in 2017. According to a recent report from Verisign, there was a 53% increase in the number of DDoS attacks between Q4 2017 and Q1 2018, as well as a 47% rise in the attack peak sizes. Akamai’s most recent report found a 16% year-on-year increase in DDoS attacks. And there could be even more dangerous DDoS attacks on the horizon.

“At the moment the focus [of cybercriminals] seems to be on quick and easy revenue generators; ransomware, bitcoin mining,” says Bharat Mistry, Principal Security Strategist at Trend Micro.  “But the fact that you've got those compromised devices means it could come back around [to DDoS].”

Reports of IoT botnets originally used in DDoS attacks being made to send email spam or mine cryptocurrency are not uncommon. But as soon as they become less profitable or a new technique comes to light, those botnets are likely to return to being drones in DDoS as a Service attacks.

“There's a cyclical trend where attackers will attack as they discover new mechanisms and methodologies then take a little bit of time to retool as some of the defenses for network capabilities catch up,” says Carlos Morales, VP Cloud and Managed Services at Arbor Networks.

He warns that we’re currently at a fallow period in terms of DDoS attacks, and most attackers are currently retooling and experimenting with new techniques before they attack again in earnest.

A recent example of this was an attack on ProtonMail. The secure email provider went down intermittently after a hacker group named Apophis Squad tested a new DDoS booter service the group is developing against it. The group told BleepingComputer ProtonMail was chosen as the target seemingly at random, but then targeted after the company's CTO Bart Butler baited the group online.


Mirai and IoT are the real danger, not Memcache

While the Memchache-based attack knocked GitHub offline with a DDoS assault that reached a record 1.7TPS, there hasn’t been the massive surge in huge Memcache-based attacks that many expected. Although the amplification factor of 50,000:1 is certainly high – and it’s now possible to purchase such attacks from DDoS hire sites – the fact that the Memcache protocol was only ever meant to be used within a network and not over the open internet means it’s an easy attack to spot and block. According to Arbor’s data, there have only been around 16,000 such attacks between February and April of this year.



“You can easily as a defender put mechanisms in place to block Memcache at your network borders without having to do complex or surgical type of mitigation,” says Morales. “And attackers quickly realized Memcache, while spectacular, did not yield the results they wanted long-term, so they switched back to other protocols.”

“Memcache was a pretty significant outlier in terms of technology; something that could amplify so much and be generally available in datacenters, is a perfect storm of circumstances that lead to 1.7TPS.”

Instead, companies should be more worried about Internet of Things (IoT) botnets and Mirai-like clones. The takedown of DNS provider Dyn using the Mirai malware and 100,000-strong army of CCTV cameras, printers, and baby monitors showed the destructive power of insecure IoT devices.

Though Mirai itself has been taken down, the source code was shared online shortly after the attack on Dyn. Though none has grown as large as the original, Mirai-based clones have continued to proliferate. The likes of Reaper, ‘Windows Mirai’, Satori, JenX, OMG, and Wicked all combine the original code with new capabilities and pose a potential threat.

“Since Mirai was made public its derivatives have updated and improved upon the original system to include more effective ways of compromising a broader and more diverse range of IoT devices, as well as improving the attack capabilities it had to offer,” says Sean Newman, Director Product Management at Corero Networks.

Of course, Mirai is just the most well-known of the IoT-botnet malware strains, but there are many more out there. Fortinet’s Threat Report for Q1 2018 warned that attackers are continually probing “far and wide” for IoT vulnerabilities and the company is seeing many exploits appearing in this area.

Arbor’s Morales warns that even without any significant new advances in offensive capabilities, attackers have the capability to reach multi-terabit level attacks and surpass the 1.7TPS we saw launched against GitHub if they can infect enough devices. 

“They could even go to 3TPS with current devices; it would just put a significant strain on the botnet and on the coders who code it, it’s really just whether they can do so economically.”

Given the danger, there are doubts whether companies are ready for the ’next Mirai’. A recent study by the Harvard Business School warned of a “lack of redundancy in DNS resolution” by major websites and services, suggesting another such attack could be successful. Trend Micro’s Mistry suggests it was only the service providers and telcos that really took notice in the wake of the Dyn takedown, and most organizations haven’t learned their lessons.

“Enterprises think they can just leverage a service and mitigate the attack and call upon it as and when required, and there’s also the perception that if companies go out to the cloud then it’s not their problem anymore. I think it will take another couple of big ones before other enterprises start waking up to it.”


Greater complexity and mobile device botnets are the future of DDoS

While cybercriminals wait for the next technology advantage that might allow them to significantly increase the size of DDoS attacks, they are in the meantime being smarter in how they operate in a number of different ways.

Arbor’s Morales says attackers are doing far more reconnaissance and using the resulting intel to craft more specific attacks. The result is attacks which specifically target whatever action –  downloading videos, loading large images or documents etc. – creates the biggest burden on the site. These highly targeted attacks are difficult to spot or mitigate as the traffic and the actions they’re taking may seem relatively normal, but the results weigh heavily on resources. 

Corero Networks’ Newman says his company is seeing a notable increase in the number of much smaller attacks; over 70% of attacks observed by the company are below 1Gbps in size and last for less than 10 minutes. 

“These attacks are much more surgical in their nature but, are typically no less effective in the outcomes they create. Plus, their size gives them the added benefit of blending in more with legitimate traffic volumes and flying under the radar of legacy DDoS protection systems.”

In the future, Trend Micro’s Mistry expects to see more application-based DDoS attacks, and more attacks similar to Slowloris malware, which draws out initial connections for as long as possible in order to slow networks using legitimate requests.

Beyond IoT botnets, smartphones may well be the next target for recruitment for cybercriminals. There haven’t been any smartphone-based botnets of any notable size being used in DDoS attacks yet, but the potential is there: a report from Distil Networks suggests nearly 6% of all mobile devices could be a part of botnets.

“As the compute that we carry around in our pockets becomes more powerful and as 5G come to the fore, it certainly opens up that avenue of high-bandwidth attacks,” says Mistry.


Also read:

Mirai is the hydra of IoT security: too many heads to cut off

IoT industry is in “for a big wakeup call” if security isn’t addressed

The IoT “time bomb” report: 49 security experts share their views

How IoT companies can learn from the Mirai malware exploitation

DDoS-based ransom tipped to be future of cybercrime