Distributed denial of service (DDoS) attacks are increasingly being used to distract businesses and insecure Internet of Things (IoT) devices became the favoured mechanism for launching the attacks during 2016, according to a new analysis of the past year’s DDoS attack trends.
Businesses in certain industry sectors were increasingly targeted by DDoS perpetrators, according to the latest Worldwide Infrastructure Security Report, which is published by DDoS specialist Arbor Networks based on data collected by its ATLAS DDoS-remediation platform.
Echoing earlier warnings that businesses have never been more vulnerable to large DDoS attacks, some 63 percent of financial services and 53 percent of government bodies reported being hit by a DDoS attack – up from 45 percent and 43 percent, respectively, a year earlier.
Fully 40 percent of hosting providers reported being hit by DDoS attacks, while 61 percent of data-centre operators were hit by attacks that exceeded their total Internet capacity. With more than half of service providers recording over 51 attacks per month – around 1.7 attacks per day – ATLAS tracked some 135,000 volumetric attacks per week during the year.
Many such attacks were being driven by new techniques – the publicly-available Mirai botnet code in particular – that exploited growing numbers of insecure devices to pummel targets with traffic from massive numbers of locations at once. Poor security techniques including hard-coded usernames and passwords, protocols unnecessarily enabled by default, and unprotected management services had contributed to insecure devices that are “very rarely” upgraded, the report noted.
To test the prevalence of IoT attacks, Arbor set up honeypots with open Telnet/SSH ports and observed more than 1 million login attempts over the course of a fortnight – with more than 1 attempt per minute in some regions.
Increasing volumes of attack pose new challenges for businesses that, new figures from Osterman Research and Trustwave suggest, are struggling to keep their inhouse security skills in line with the threats they are seeing.
Fully 25 percent of respondents to that survey said it was unlikely that they would have available staff to meet increasing security demands, with skills around emerging and evolving threats flagged as being the most deficient.
Fully 64 percent of respondents in the Trustwave study said their ability to respond to such threats was inadequate – far worse than self-assessed capabilities in areas such as incident and threat response (54 percent), security vulnerability scanning and testing (47 percent), and system maintenance (25 percent).
“The fact that IT organisations rate themselves least adequate in the context of emerging and evolving threats underscores the fact that they spend the least amount of time managing issues related to these threats,” the report notes.
This bodes poorly for businesses concerned about the growing volume of DDoS attacks and IoT-related security, who will find themselves struggling to keep up with requirements for staff skilled in security testing, incident response, threat monitoring, and more. Such shortfalls had led Australian businesses to chronic underinvestment in security testing practices, according to another recent Trustwave analysis that found worrying levels of apathy towards security testing.
Just over three years ago ATLAS noted that DDoS attacks had exceeded 2Gbps for the first time. By 2015, Australian targets were copping particularly fierce DDoS attacks and in 2016, the largest reported attack weighed in at 800Gbps.
Large attacks became much more common in 2016, with 558 attacks of more than 100Gbps compared with 223 the previous year. Some 87 attacks passed 200Gbps during 2016, compared with 16 the previous year.
Significantly, some 26 percent of businesses were seeing DDoS attacks used for distraction from other malicious activities – up from 12 percent the year before. This suggests DDoS attacks are being used in multifactorial attacks that hit target organisations with a one-two punch that may, if current staffing and resourcing levels remain the same, prove woefully inadequate in the long term.