Latest massive DDoS attack suggests criminals are plotting long campaigns

Behind the scenes, DDoS attacks are still evolving. What, if anything, does it all mean?

DDoS attackers just keep at it but the way they keep at it continues to evolve. According to an Akamai note, on 18 June, an unnamed "large European media organisation" (presumably e-gaming) experienced a sudden DDoS assault that in 10 minutes rose to a peak of 363 Gbps.

That's a large attack by any standards Akamai's description of the events of that day reveals other interesting trends worth paying attention to such as the way DDoS criminals are expanding the complexity of their attacks while the defenders find themselves building huge global defences simply to keep up.

It's probably not a complete surprise that the attack bundles extreme size with the use of six different attack types; DNS reflection, SYN flood, UDP fragment, PUSH flood, TCP flood, and UDP flood. Barely 2 percent of attacks use this multi-pronged approach but it's clearly a growing trend. As reported by Computerworld UK, on 14 June, days before the attack reported by Akamai, mitigation provider Incapsula recorded an even more massive flood that also used the spray and pray technique.

The attack also abused DNSSEC because, the criminals have cleverly fathomed, the DNS security protocol generates larger responses and can therefore be used to boost DNS amplification still further. Akamai has mentioned such tactics in several of its traffic reports during 2015 and 2016 but it is ironic that a security standard should end up being manipulated in this way.

It's developed so the extent that, "malicious actors continue to use open DNS resolvers for their own purposes, effectively using these resolvers as a shared botnet. The attack techniques and duration of the attack point to the likelihood of booter services available for lease in the DDoS-for-hire underground marketplace."

Intriguingly, a geographical analysis of the IP addresses used to generate a portion of the SYN traffic suggest that it came from home and SoHo routers hijacked by the KaitenSTD botnet.

Latest massive DDoS attack suggests criminals plotting long campaigns

Why does any of this matter? Almost without exception these attacks go unnoticed by Internet users and businesses are usually only affected if they are unlucky enough to share a datacentre with a targeted organisation.

"From a technical perspective, the discovery and subsequent increasing employment of new attack vectors or botnets always represent significant, albeit grim milestones," Akamai concluded.

But that's a technical way of looking at the problem. The real story hidden inside the numbers is that this was only the latest in a long string of much smaller attacks on the company by this group or groups over 34 weeks. The first conclusion is that a growing number of DDoS attacks are no longer best described as singular events so much as campaigns that go on for months and perhaps even, shortly, years.

As these attacks morph into larger and sometimes unpredictable surges, mitigation is also changing to meet that challenge with Akamai revealing that its scrubbing centres (the places traffic is diverted to be cleaned) spans several locations around the globe for this attack alone.

Disaster averted in a way - as with the huge Incapsula attack of 14 June the 363 Gbps was defended by Akamai, which has the resources to deal with it. But as the recent downing of Pokemon GO shows, plenty hit the mark. The victims are out there even if we often don't hear about them.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts