DDoS botnets already smarter, fiercer in 2014: Imperva Incapsula

A flurry of distinctive new distributed denial of service (DDoS) attacks in the first few months of this year led security firm Imperva Incapsula to rethink the methodology behind its latest DDoS Threat Landscape Report as it sought to characterise a “much more complex breed of DDoS offenders” expected to grow the DDoS threat significantly this year.

“Perpetrators are looking to raise the stakes by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions,” the report notes. “As a result, in 2014, many IT organisations will need to re-think their security strategies to respond to the latest Layer 3- and Layer 7 DDoS threats.”

The volume of DDoS bot attacks shot up over the past 90 days, surging by 240 per cent compared with the same period in 2013. That equated to over 12 million DDoS bot sessions on a weekly basis, with more than half coming from India (9.59 per cent), China (9.20 per cent), and Iran (7.99 per cent). Indonesia (4.29 per cent), the US (4.26 per cent) and Thailand (4.20 per cent) filled out the top six.

More than 81 percent of threats followed multiple attack vectors – including 39 per cent that use three or more different attack methods simultaneously. NTP reflection was the most common large-scale attack method in February, but combo SYN flood attacks – which combine regular SYN packets and large SYN packets (over 250 bytes) were used in 75 per cent of attacks, making it the most common network attack overall.

However, a “significant increase” in the number of NTP amplification attacks was noted in January and February of this year, with those attacks becoming the most commonly used attack vector for large-scale network DDoS attacks.

Botnets were being more frequently used to attack multiple targets, with 29 per cent of compromised devices attacking more than 50 targets each month and 1.2 per cent of devices attacking more than 200 different targets during the same period. The majority of devices – 60.4 per cent – attacked more than 20 targets per month.

As well as being more prolific, the company's analysis suggested that botnet authors are intentionally engineering them to bypass conventional JavaScript and cookie-based challenges that are normally used to filter bots. Nearly 30 per cent of sessions that Imperva Incapsula encountered were able to accept and store cookies, allowing them to trick DDoS sensors that have relied on their non-responsiveness to filter them out in the past.

Other DDoS bots are spoofing their identities, portraying themselves as Baidu and Googlebot impersonators. One-third of bots the company analysed pretend to be Baiduspider/2.0 searchbots, with 16.0 per cent pretending to be Microsoft Internet Explorer 6 systems and 11.7 per cent emulating Googlebot/2.1.

“These represent the easiest of all application layer challenges,” the report notes, “due to the highly predictable behaviour patterns of real search engine bots as well as their predetermined points of origin.”

Other targeted bot attacks, however, were becoming more common as their authors experiment with new tactics. In the second half of 2013, the company reports that it began to encounter more-complex DDoS agents including browser-based bots that “were immune to generic filtering methods and could only be stopped by a combination of customised security rules and reputation-based heuristics.”

Protection against DDoS attacks is part of the impetus that is driving Australia's fast-growing security market, which was recognised last week as Australian security specialists took out three of four categories in Imperva's Asia Pacific and Japan Partner Awards.

The company's internal awards recognise the success of channel partners in building out the regional footprint of Imperva solutions, which are focused on protecting physical and cloud-based Web applications and data assets.

Dimension Data Australia was chosen as System Integrator of the Year for 2013, reflecting its success in installing the solutions in the largest number of client sites. Also pipping regional competitors was Digital Networks Australia, an Imperva distributor that was given the Imperva Excellence Award. Matthew Hales, channel sales manager at Digital Networks Australia, was acknowledged as Product Manager of the Year.

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Virtualisation Security

Deep Security provides a comprehensive Server Security Platform giving organisations advanced protection for Physical, Virtual, and Cloud Servers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.