Just as the experts expected, internet security threats around the globe continue to increase at a harrowing rate. Cyber hacking remains big business, and online companies have never been more vulnerable to attack.
Security service provider Incapsula recently issued a DDoS Threat Landscape report that reviews the latest DDoS attack trends, focusing on the evolution of the attack methods and attacker modus of operandi.
2013 in Review: Evolution of DDoS
As Incapsula’s report shows, the previous year marked new developments in DDoS attack’s sophistication, as well as in their sheer brute power. Regarding Network Layer attacks (Layers 3 and 4), 2013 saw consistent increases in average attack volumes. By the year’s end, Incapusla measured attacks coming in at over 100 Gbps, enough to bring down even the strongest of servers. According to Incapsula, today almost 1 in every 3 DDoS attacks exceed 20Gbps.
During its research Incapsula came across a single server that could wield up to 4 Gbps of DDoS firepower on its own. If amplified properly, this server could channel up to 200 Gbps of malicious traffic.
Another new trick in the hacker’s arsenal is the hit and run technique. As the name suggests, these are short, heavy bursts of traffic on a target server. This attack method is most effective against security systems that require manual initiation, causing many experts to think there will be a tendency towards security services that are always on.
While 2013 did not see a substantial increase in firepower for Application Layer (layer 7) attacks, hackers did ramp up the sophistication of their security penetrating methods. Most notably, browser-based DDoS bots are now capable of storing cookies, and some are even able to execute JS. Incapsula experts point out that these developments circumvent most bot-filtering methods that are currently in place and forecast higher reliance on reputation and behavior based identification methods in near future.
2014 and Beyond
Already in the first months of 2014 we have seen security events that have dramatically altered the way online businesses must protect themselves. First and foremost, multi-vector attacks, or attacks that use more than one method, made up over 81% of events recorded by Incapsula.
The most common multi-vector attack involves large and small SYN packet flooding, a network layer attack. Hackers will often deploy many small SYN packets to a target server, creating a smokescreen effect, and then follow with larger SYN packets to saturate the target’s network capacity. Of all attacks of 20 Gbps and over, large SYN flooding was used most often (see data on page 5 of the report).
Early 2014 will also be remembered for the emergence of NTP amplification attacks. NTP DDoS takes advantage of the MON_GETLIST command in UDP 123 to amplify data attacks by a magnitude of up to 600. As of now it is unclear if this uptick in NTP strikes will continue to be a threat, as - for all their great size - they are not difficult to stop preemptively.
DDoS as a Business
The report points out that DDoS attacks have already become a viable source of revenue for hackers all over the world. Today, DDoS bots (or, rather their ‘shepherds’) are hard at work with 89% of malicious bots used to attack more than 20 separate attacks per month.
This pattern demonstrates just how often DDoS botnets are used as zombies for hire - changing hands just like any other type of commodity. The report also shows that the overall number of documented botnet IPs grew by 240% over the last year, and one can safely assume that this growth was motivated by promise of financial gain.
New Necessities
Taken together the trends of 2013 and early 2014 spell trouble for those relying on out-dated technology to defend their websites. Security networks must be able to carry capacity exceeding 200 Gbps, and should have cloud capabilities as well.
Emily
