Akamai Report finds DDoS Attacks more Sophisticated, Adaptive

Though they are some of the oldest cyber attacks, Distributed Denial of Service (DDoS) attacks show no signs of going away, with an increase in the number, scope and sophistication of DDoS attacks in the past year, according to a recent report by cloud-delivery platform provider Akamai Technology.

The summer edition of Akamai’s State of the Internet Security report–which focuses on DDoS attacks as well as a new area of research, bot-driven credential abuse–shows that the attacks increased 16 percent year over year for the six-month period from November 2017 until April 2018 over the same period last year.

Breaking down the 7,000 attacks Akamai saw in the six-month period by type, there was a 16 percent increase in infrastructure-layer attacks, a 4 percent increase in reflection-based attacks and a 38 percent increase in application-layer attacks, according to the report.

DDOS Attack
Akamai’s latest report shows that DDoS attacks increased in number and sophistication in the first half of 2018.

The report combines attack data from across Akamai’s global infrastructure, providing analysis of the current cloud security and threat landscape, as well as insight into attack trends using data gathered from the Akamai Intelligent Platform. Security professionals from across Akamai–including its Security Intelligence Response Team (SIRT), the Threat Research Unit, Information Security and the Custom Analytics group–contributed to the report.

Read more Security Ledger coverage on DDoS attacks and Akamai.

DDoS attacks–in which perpetrators try to take down a network resource or computer by flooding it with bogus requests in an attempt to overload the system–have been known security threats for more than 20 years now, nearly as old as the inception of the World Wide Web itself.

However, what’s most troubling now is that the attacks seem to be increasing in sophistication beyond mere volumetric attacks to ones with expanded and more intelligent capabilities, including the ability to adapt on the fly as network administrators try to thwart an attack, Martin McKeay, global security advocate at Akamai, told Security Ledger.

See also: Evasive MyloBot botnet can take over enterprise devices to steal data, spread ransomware

“We do see a small number of attacks that are much more intelligent, with someone who is putting in effort to overcome the types of controls that are put into place,” he said. “It’s not just a matter anymore of mitigating the attack by having more bandwidth available. It may be DNS is part of the target, or that some other portion of the network is part of the target.”

McKeay described an attack the company saw in Europe over a period of a few days that began as a typical volumetric DDoS attack but that changed its attack pattern as administrators tried to overcome the attack.

Another attack showed those coordinating the attack getting more creative in the ways they are doing it, using group chats on STEAM and IRC and a group of volunteers rather than a botnet of malware-infected devices to carry out the attack, he said.

“Luckily we don’t see those often, but they are not something people should be comfortable with,” McKeay told us.

Bot-based account takeover attempts target hotel, travel industries

Akamai researchers also tackled new threats in their latest report, McKeay told us. For the first time, researchers looked at botnet traffic and account-takeover attempts in which attackers have a list of user names and passwords and run a bot against a site to see if someone is re-using account info across multiple sites as a way to access user accounts, he said.

What researchers found is that “the hotel and travel industry had shown a little bit of an outlier in the landscape overall,” he said, for a couple of reasons. One is that these sites showed more account-takeover traffic for the size of the industry over many other industries Akamai observed, McKeay said.

Specifically, Akamai researchers analyzed nearly 112 billion bot requests and 3.9 billion malicious login attempts that targeted sites in this industry including airlines, cruise lines and hotels, among others. Nearly 40 percent of the traffic seen across hotel and travel sites is classified as “impersonators of known browsers,” a known vector for fraud, he said.

The other reason is that while most of this type of botnet traffic typically comes from the United States, two other state actors now appear to be keenly interested in perpetrating this kind of online fraud–Russia and China.

“When we look at hotel and travel, cruise lines and airlines, a different pattern emerges,” McKeay said. “All of a sudden the biggest sources of this type of traffic are Russia, China and then the United States. Russia and China are the source of 50 percent more than the United States” since last year during the same time period, he said.

Memcached reflector widens attack scope

Another interesting finding in the report comes from an area of network vulnerability that only recently became an issue, memcached reflection, McKeay said.

Memcached is a Unix/Linux general-purpose memory caching service that’s meant to be on the internal network and not exposed to the Internet, he said. However, when memcached servers are misconfigured, they present a possibility to launch DDoS attacks on a massive scale because the memcached protocol over UDP has an amplification factor of more than 51000.

This is what happened in late February, when attackers used memcached to launch a DDoS attack of 1.35 terrabits at its peak–the largest DDoS attack to date–with sites affected including GitHub. A DDoS of such scale shows unprecedented ability to take down not just websites or companies but even entire geographic regions, McKeay said.

“To give you an idea of the size of it, there are a lot of undersea cables between the United States and Europe,” he explained. “One of the main cables, the TAT-14, is capable of carrying traffic of 3.2 terabits per second. So a 1.35-terabit attack is enough to seriously impact that cable. An entire country might not even have that much bandwidth available.”

While the security community reacted quickly to solve the memcached problem and eliminate that threat, researchers believe given the evidence they’ve seen, attackers will find other ways to mount such large DDoS attacks in the future, he said.

“Something of this size can’t be seen anymore from memcache,d but there will be something else along those lines,” he warned. “Adaptive, intelligent attacks are out there, and they are going to be changing their attack methods to overcome your defenses.”

Spread the word!

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.