A Detailed Analysis of the DDoS Phenomena

Monday, April 16, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

Last year we observed an impressive growth in distributed denial-of-service (DDoS) attacks, mainly related to operations arranged by groups of hacktivists such as Anonymous.

During a DDoS assault, a multitude of compromised systems attack a single target causing a denial of service for users of the targeted system. I wish to analyze for you the interesting results reported in Prolexic Attack Report related to the first quarter of 2012 (registration is required).

The most disconcerting data that emerges from this study is related to the number of attacks against the the financial sector, which tripled during the first quarter of this year.

The document reported a 3,000 percent quarter-over-quarter increase in malicious packet traffic targeting the financial services sector compared with the forth quarter of 2011. The first quarter of 2012 has logged a significant increase in DDoS attacks against financial services organizations with an increase in both bandwidth and packets per second rates over the last quarter.

The Prolexic company had reported 19.1TB of data and 14 billion packets of malicious traffic aimed at financial services during Q4 2011, and what is worrying is that the traffic increased during Q1 2012, with 65TB of data and 1.1 trillion packets that were identified and mitigated. The figures are amazing, the traffic is 80 times superior to the past quarter.

(click image to enlarge)

While the number of attacks has changed substantially compared to previous quarters, the statistics remain basically unchanged on the type of DDoS attack observed.  

From the next graphics can be derived that during Q1 2012 attackers have used more infrastructure layer attacks (Layer 3 - the three most common within this attack classification were SYN floods, ICMP floods, and UDP floods) than application layer attacks (Layer 7 - GET Floods and POST Floods).  

According to the figures provided by Prolexic, 73.4% were infrastructure attacks and 26.6% were application layer attacks.

(click image to enlarge)

 

What is changed respect last quarter?

Starting with the assumption that the last quarter of the year is a good period for any kind of attacks due to the holiday season, in Q1 2012 the trend remained unchanged. 

Closely analyzing the individual attacks we can observe that in respect to the previous quarter, the average attack duration continued to decrease, dropping from 34 hours in Q4 to 28.5 hours of Q1 2012 quarter.

While the duration decreased, the average attack bandwidth increased to 6.1 Gbps, up from 5.2 Gbps, which means that the power of the attacks is increasing, being able to flood more data packets in a minor time.

In the following graphic is reported the top ten countries originating DDoS attacks. We can observe there aren't any surprises in the rankings proposed: China, the US, and the Russian Federation were the top three origins of DDoS attack campaigns corresponding to their active participation in cyberspace and their aggressive cyber strategies, as well as being the traditional geographic locations for botnet hosts. 

Don't forget that a meaningful contribution is also made by cybercriminal activities as well as by operations conducted by groups of hacktivists.

(click image to enlarge)

A very interesting analysis could be made to discriminate the motivations of attacks (governments, hacktivism and cybercrime) to better understand the cyber threat. Countries like Ukraine, for example, historically host cybercrime activities while N.Korean attacks without a doubt have governmental and political motivations.

What do we expect in the coming months?

In my opinion, the trend will continue into 2012, and we will see an increase of attacks related to cybercrime and also hacktivism. According the Verizon report on cybercrime, hacktivism is one of the most dangerous phenomena, and DDoS attacks are their typical attack mode. For this reason we will observe impressive growth supported by the worldwide spread of botnets.

Regarding the attacked platforms, we are observing a growing interest in Macs, and it is expected we will see growth of OS X botnets able to perform DDoS attacks.

Other contributions to the increase of this type of attack corresponds to the increased use of mobile phones and devices as launch platforms, and also to the imminent diffusion of the IPV6 protocol.

In the first case, we are faced with a still vulnerable sector, as mobile today has the same computing capability of desktop environments but implemented protections are really poor, as is the awareness of the threat. These combination of factors are dangerous. The financial sector is also one  that pushes for the introduction of mobile devices for the supply of its services.

Regarding the second point, the switchover from the existing address protocol IPv4 to IPv6 will give hackers a great opportunity. With the introduction of the protocol a huge quantity of new internet addresses will be available, and those addresses could be used as sources for DDoS attack.

Attacks based on IPV6 will benefit from switchover due the increased difficulty in identifying and banning the addresses involved in the attacks for which an offender has an availability which is significantly amplified. Consider also the context in which we operate, migration between protocols is an event to be taken into account and for which companies and governments must be prepared.

Finally, DDoS attacks are largely used in warfare operations against enemy governments. Group of hackers are also engaged to attacks against sensitive targets with the intent make unusable services provided by government agencies and institutions.

It happened earlier this year when Israel fell victim to a true escalation in cyberwarfare, and unidentified attackers in fact pulled down two principal national web sites, the Tel Aviv Stock Exchange and El Al, the national airline.

DDoS attacks are even more dangerous when they are used in conjunction with other types of offenses. DDoS attacks are used as a diversionary strategy to distract opposing defenses from the real intent of the attackers.

Precisely this strategy was occasionally adopted by organized criminals using botnets to paralyzed targeted systems and then proceed undisturbed in the commitment of fraud.

The message is "do not lower our guard, is just the beginning!"

Cross-posted from Security Affairs

Possibly Related Articles:
11991
Network->General
Information Security
Denial of Service Botnets Cyber Crime Attacks DDoS Hacktivist IPv6 fiancial Prolexic
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.