Massive denial-of-service attacks pick up steam, new nefarious techniques

Several online gaming sites were recently hit by distributed denial-of-service (DDoS) attacks that used a new type of assault on the victims: a Network Time Protocol Amplification Attack.

Such attacks rely on the use of publicly accessible NTP servers to overwhelm a victim system with UDP traffic, according to the US CERT site.

"It's the first time I've ever seen volumetric NTP at noteworthy levels," says Shawn Marck, CEO at Black Lotus, which provides DDoS mitigation services, adding his impression is that the DerpTrolling group, which took credit for the attack, is doing this mainly for the kicks they get in disrupting online games like War of Wizard and Steam.

"The NTP attack worked pretty well," said Barrett Lyon, founder of anti-DDoS service It had been known that an attacker could manipulate an NTP server to generate attack traffic against a target, but DerpTrolling's denial-of-service hits in early January are regarded as dangerous proof of a new DDoS attack vector.

+More on Network World: Anti-Bot Working Group to fight DDoS attacks from cloud infrastructure | Arbor Networks introduces cloud-based DDoS service | DDoS attacks against banks raise question: Is this cyberwar? +

US CERT issued an advisory on NTP amplification attacks on Jan. 10, stating the exploitation of these servers was caused by vulnerabilities left unpatched. But Lyon sees a different problem. He says the older NTP servers simply can't prevent the type of exploitation carried out in NTP Amplification attacks because older NTP gear doesn't support processes such as rate-limiting that might prevent it.

NTP servers are "forgotten pieces of infrastructure" that almost no one thinks about -- until something like this new example of a DDoS attack comes along, says Lyon, an industry veteran who also founded anti-DDoS security firm  Prolexic Technologies, which was just acquired by Akamai.

It's not just the old infrastructure but the latest new mobile devices are being exploited by attackers to launch DDoS attacks.Today, Prolexic issued its quarterly global DDoS attack report, noting that even Android-based mobile devices are being spotted as instruments to launch DDoS attacks.

In the report, Prolexic says its response team "uncovered evidence of the use of mobile applications launching DDoS attacks against enterprise clients, including one of the world's largest financial firms." Prolexic says signatures matching AnDOSid, a DDoS attack tool for Android devices, were observed in DDoS attack campaigns.

While use of mobile devices to launch DDoS attacks is still considered unusual, there's no reason to think it might not grow, Prolexic points out. In its report, Prolexic also notes the rise of NTP as an attack vector.

"The NTP protocol is implemented in all major operating systems, network infrastructure devices, and embedded devices. By using UDP, NTP is subject to spoofing. In addition, misconfiguration of network equipment can allow enterprise infrastructure to be used as an unwilling participants in a DDoS attack. This can be achieved by responding to requests for NTP updates and directing the response to the victim host and overwhelming it with NTP traffic."

According to Prolexic's report, the "traditional" attack vectors include the likes of ICMP and SYN floods but these declined last year in favor of UDP fragmentation floods.

Where do DDoS attacks come from?

According to Prolexic, the U.S. is thought to be the main source of DDoS attacks during the last quarter, constituting 23.62% of what Prolexic saw. That's up a disturbing 14.5% for the U.S. compared to the last quarter. China used to hold the top spot for DDoS but is now in second place at 19.09%. Thailand was third at 13.59% Other countries, including the United Kingdom, South Korea, India, Turkey, Italy, Brazil and Saudi Arabia all follow on a top 10 list.

DDoS attacks are often carried out by means of large-scale botnets that cyber-criminals control through compromised desktops or servers to manipulate them to launch streams of unwanted traffic at targets. It's possible to get a lot of firepower by stealthily taking over the servers in hosting centers around the world to do this. Some hosting centers (sometimes called bulletproof' hosting) simply don't seem to care.

Microsoft for several years has taken up the banner of shutting down botnets in takedowns wherever it can around the world, mainly by taking aggressive legal action whenever possible.

Rich Boscovich, assistant general counsel at Microsoft Digital Crimes Unit which carries out this anti-bot effort, says it involves getting visibility into malware and locating computers at ISPs all over the world. "We've taken third-party servers off hosting providers as part of our takedown," he says, adding, "We know there's significant chance of retribution from criminals when their botnets are taken away."

And Microsoft's network resources do become subject to DDoS attacks because criminals can quickly and easily re-purpose botnets that might have been used to generate spam, for instance, into cannons blasting out attack traffic. Among other things, Microsoft uses anti-DDoS gear from A10 Networks, custom-designed, says Boscovich. He declined to go into specifics about this but merely added DDoS  is a "real danger."

DDoS attacks are often measured based on speeds they achieve, the higher often being the most destructive in swamping networks or crashing applications, so anti-DDoS vendors are always striving to achieve higher speeds for defense. A10 Networks, for instance, which unveiled its Thunder line of standalone anti-DDoS gear today, said it can handle 37GGbps to 155Gbps. The company says service providers and large enterprises would be the most likely buyers. Prolexic says it saw DDoS attacks reaching 179Gbps in the last quarter.

What's the motivation behind DDoS attacks?

Admittedly, there's nothing particularly new about DDoS attacks which have been around in one form or another since the early days of the Internet, along with the later tales of botnets and the Russian cyber-mafia. But many say the motivations for trying to blast away at the networks and applications of others seems to have grown.

Read more: Unprecedented spike in DDoS attacks: Arbor Networks

In the early days it was extortion, asking for payment to stop the attacks. Today, business competitors may pay to attack other competitors, too. "You hear it all the time, especially in the casino space or the escort space," says Shawn Marck of Black Lotus. "The majority of attacks are economically motivated."

But political activism is also a factor these days as angry protestors supporting one cause or another are egged on by groups such as Anonymous to launch DDoS attacks. However, it's been the protestors joining the DDoS campaigns that get arrested more often than the organizers, notes Chris Risley, CEO at

Many governments are also believed to be making use of DDoS from time to time, say Lyon and Risley. North Korea is thought to attack South Korea this way, and the Iranians are believed by some to have been behind the widespread attacks against U.S. banks in the fall of 2012. Many more governments, including the U.S., also quietly have their hands on the DDoS trigger, they suggest.

For anyone who wants to launch a DDoS attack, it's quite simple to go online and pay as little as a few dollars as hour to buy the access to do it, according to There's also "advertising online claiming to test your systems for DDoS, when they're really conduits for selling DDoS services," says Lyon. He adds on Pastebin, you can find  blatant ads for DDoS with guarantees it will work.According to the Prolexic report, the average attack duration totaled 22.8 hours. Attackers favored striking network infrastructure about three quarters of the time, with application-layer attacks taking up the remaining 23.4%.

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networkssecuritylegalSteamWide Area Networkanti-malwarecybercrimeNTPLotus

More about A10 NetworksAkamai TechnologiesArbor NetworksArbor NetworksCERT AustraliaIDGMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place