DDoS reflection attacks are back -- and this time, it's personal

Instead of hitting datacentre servers or DNS servers, the attackers are going after personal computers on misconfigured home networks

At the start of 2014, attackers' favorite distributed denial of service attack strategy was to send messages to misconfigured servers with a spoofed return address -- the servers would keep trying to reply to those messages, allowing the attackers to magnify the impact of their traffic.

As those servers got patched, this strategy became less and less effective.But now it's back, according to a new report from Akamai. Except this time, instead of hitting datacentre servers or DNS servers, the attackers are going after personal computers on misconfigured home networks.

According to Eric Kobrin, Akamai's director of information security responsible for adversarial resilience, the attackers are taking advantage of plug-and-play protocols, commonly used by printers and other peripheral devices.

These attacks, known as Simple Service Discovery Protocol (SSDP) attacks, are now the single largest attack vector for DDoS attacks, accounting for 21 percent of all attacks, up from 15 percent last quarter, and less than 1 percent at this time last year.

"There are infectable SSDP services all over the Internet," he said. "As they are discovered, we help work with people to shut them down."

Although each particular device has just a fraction of the bandwidth available to datacentre-based servers, there are more of them.

"There's a fertile ground of home systems," he said. "A property configured home firewall can block this, but there are many improperly configured home systems connected to the Internet -- and there are also industrial systems that can be used to reflect attacks as well."

This attack source is also harder to shut down, he said.

"It's easier to go into the datacentre and have the service providers do the clean-up," he said.

Last quarter, SYN flood attacks - where "synchronize" messages are sent to servers - was the leading attack vector, accounting for 17 per cent of all attacks, down slightly from 18 percent of all attacks at the start of 2014.

There has also been a change in the size of the median attack, and the typical size range of attacks, Kobrin said, as defensive measures have improved.

"The smallest effective attack size has increased, year over year," he said. "It's because the smallest attacks are no longer effective."

Another type of DoS attack has gained a foothold for the first time this year. SQL injections, normally used to gain access to systems for the purpose of stealing data, are now being used to shut down Web sites as well.

Akamai saw more than 52 million SQL injection attacks during the first quarter of 2015, which accounted for 29 per cent of all Web application attacks.

The most common targets for SQL injection attacks were retail, travel and media websites.

Finally, another attack vector that's just now starting to make an impact is domain hijacking.

"People are actually attacking the registries and getting their own information put in, so the big sites are losing control of their DNS infrastructure," Korbin said.

There have been a few high-profile cases so far, he said, mostly politically motivated, but not yet enough data to measure a trend.

"We didn't see it much in 2012, started seeing a little bit of it in 2013 and 2014, and seeing it more of it now," he said.

He recommended that companies switch on two-factor authentication for their email systems when available, ensure that employees don't reuse credentials, ask their domain registrars to put a lock on their domains, and, finally, keep a close eye on traffic numbers to spot a drop-off as soon as it happens.

With these domain redirects, the attackers are not only able to shut down the legitimate website, but also put up their own content under that website's brand.

Join the CSO newsletter!

Error: Please check your email address.

Tags disaster recoveryapplicationssoftware21Business Continuity

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts