DDoS Attacks Up By 84% In Q1

The number of DDoS attacks increased by 84% in the first quarter of 2019 compared to Q4 2018, according to new research from Kaspersky Lab

The global cybersecurity company’s findings, detailed in its DDoS Attacks in Q1 2019 report, come in the wake of dramatically falling numbers of DDoS attacks recorded throughout 2018, suggesting that cyber-criminals are once again turning to DDoS as an attack method after a sustained period of shifting their attention to other sources of income last year, such as crypto mining.

Kaspersky Lab also discovered a substantial growth in the amount of attacks that lasted more than an hour. The company suggested that the launch of newer DDoS-for-Hire services could explain the sudden rise in the number of DDoS attacks in 2019.

“The DDoS attack market is changing,” said Alexey Kiselev, business development manager on the Kaspersky DDoS Protection team. “New DDoS services appear to have replaced ones shut down by law enforcement agencies. 
As organisations implement basic countermeasures, attackers target them with long-lasting attacks. It is difficult to say if the number of attacks will continue to grow, but their complexity is showing no signs of slowing down.
“We recommend that organisations prepare themselves effectively, in order to withstand sophisticated DDoS attacks.”
Kaspersky Labs’ advice for DDoS attack defense included:

•    Ensuring that web and IT resources can handle high traffic.
•   Using professional solutions to protect the organisation against attacks.

The start of the year saw the appearance of various new tools in the arsenal of DDoS-attack masterminds. 
In early February, for instance, the new botnet Cayosin, assembled from elements of Qbot, Mirai, and other publicly available malware, swam into view. 

Cyber-security experts were intrigued less by the mosaic structure and frequent updating of its set of exploited vulnerabilities than by the fact that it was advertised (as a DDoS service) not on the dark web, but through YouTube. 
What’s more, it is up for sale on Instagram (botnetters are clearly making the most of the opportunities afforded by social media). In tracing the cybercriminals’ accounts, the researchers stumbled upon other malware and botnets as well, including the already discovered Yowai.

Mid-March turned up another find in the shape of a new version of Mirai, geared towards attacking business devices. The malware is now able to “botnetize” not only access points, routers, and network cameras, but wireless presentation and digital signage systems, too.

Despite all this, the number of observed high-profile attacks using new and not-so-new botnets was not that high. At the end of winter, the University of Albany (UAlbany) in the US came under assault: during the February 5th March 1 period, 17 attacks were made on it, downing the university servers for at least five minutes. Data belonging to students and staff was not affected, but some services were unavailable; the head of IT security at UAlbany believes that the university was specifically targeted.

In early February, the website of the National Union of Journalists of the Philippines was also hit. The site was disabled for several hours by a series of powerful attacks, peaking at 468 GB/s of traffic. The attack was part of a widespread campaign against various news resources. The targets believe themselves to be the victims of political pressure on alternative sources of information.

Also in mid-March, Facebook encountered serious problems with its services when Facebook and Instagram users were unable to log into their accounts. Many observers consider the incident to be DDoS-related. However, Facebook itself rejects this version of events, meaning that the real cause can only be guessed at. The lack of news about serious DDoS attacks coincided with a rise in the number of reports of major police operations against attack organizers, accompanied by arrests and charges.

The fight to bring down resources used for DDoS attacks continues: in early January, the US Department of Justice seized 15 Internet domains from which a series of DDoS attacks was launched last December. According to DoJ documents, those domains were used to carry out attacks on government systems, ISPs, universities, financial institutions, and gaming platforms worldwide. Later that same month, a US court handed down a 10-year jail term to a Massachusetts hacker for conducting DDoS attacks against two health facilities. 

Also in January, a hacker-for-hire was arrested in Britain for having incapacitated mobile networks in Liberia and Germany (at the peak of his criminal career in 2015, he took the whole of Liberia offline). Although his “work history” is far longer than that, no other charges were brought.

The shockwaves from last year’s operation to close down Webstresser.org, one of the most notorious sites providing DDoS attack services, continue to spread. Cyber police decided to go after not just the attack organisers, but the customers as well. At the end of January, Europol announced the arrest of more than 250 users in Britain and the Netherlands. Instead of prison, one of the convicted cyber-criminals will receive an alternative punishment under the Dutch Hack Right program, aimed at rehabilitating young hackers arrested for the first time. 

Other sources report that an investigation is underway into all 150,000 Webstresser clients resident in 20 different countries.
Yet despite the law enforcement efforts, DDoS attacks remain a real threat to business. As a Neustar International Security Council survey of 200 senior technical staff members of large companies revealed, firms today consider DDoS attacks to be a serious problem: 52% of security services have already faced them, and 75% are concerned about the issue.

Quarter Trends
Last quarter, we made two predictions about trends in the DDoS attack market: first, that the market overall would contract; second, that demand for long-term “smart” attacks, in particular HTTP flooding, would grow. The first did not happen: Kaspersky DDoS Protection statistics show that all DDoS attack indicators increased last quarter. The total number of attacks climbed by 84%, and the number of sustained (over 60 minutes) DDoS sessions precisely doubled. The average duration increased by 4.21 times, while the segment of extremely long attacks posted a massive 487% growth.

This forces a reassessment of the assumption made in last year’s Q3 and Q4 reports that the decrease in DDoS activity is linked to cybercriminals switching to the more reliable and profitable cryptocurrency mining. Clearly, this hypothesis is at least partially wrong.

There is another, more likely explanation: over the last six months of the previous year, we have been observing less the redistribution of botnet capacity for other purposes and more the emergence of a market vacuum. Most likely, the supply deficit was linked to the clamping down on DDoS attacks, the closure of sites selling related services, and the arrest of some major players over the past year. 

Now it seems the vacuum is being filled: such explosive growth in the indicators is almost certainly due to the appearance of new suppliers and clients of DDoS services. It will be interesting to observe how this trend develops in Q2. Will the indicators continue to rise, or will the market settle at the current level?

The second prediction (growing demand for smart application-level attacks) was more accurate: the share of long, harder-to-organise attacks is still growing, both qualitatively and quantitatively. We see no reason why this trend should not continue throughout Q2.

Attack Geography
China remains the leader by number of attacks. It even returned to its previous level after a drop in previous quarters: its share rose from 50.43% to 67.89%. In second place came the US, although its share was reduced from 24.90% to 17.17%. Third place belonged to Hong Kong, up from seventh, increasing its share from 1.84% to 4.81%.

Interestingly, except for China and Hong Kong, all other countries’ shares decreased. This did not prevent the US from retaining second position; meanwhile, Australia, having taken bronze at the end of 2018, dropped to last place, down 4 p.p. (from 4.57% to 0.56%).

Among other significant changes, it is worth noting Britain, which fell from fifth to seventh place having shed 1.52 p.p. (from 2.18% to 0.66%), as well as Canada and Saudi Arabia. Each of the latter two lost around 1 p.p., but that did not stop Canada (0.86%) climbing from sixth to fourth, while Saudi Arabia (0.58%) dropped down a rung towards the foot of the table.
Brazil, meanwhile, dropped out of the Top 10 altogether, making way for Singapore, which came straight in at number 5 with 0.82% of attacks (tellingly, its share too was down on the previous quarter, albeit very slightly).

South Korea, which previously juggled second and third place with the US, remains outside the Top 10 (accounting for 0.30% of attacks). 

Securelist:        Infosecurity:    

You Might Also Read: 

The Rise of AI Driven DDoS Attacks:

 

« More Than 900 Million Financial Records Exposed
The Spycraft Revolution »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Privacy Professor

Privacy Professor

Privacy Professor provides information privacy, security and compliance services, tools and products to organizations in a wide range of industries.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Secure India

Secure India

Secure India provides Forensic Solutions that help Government and Business in dealing with prevention and resolution of Cyber related threats.

CloudCodes Software

CloudCodes Software

CloudCodes is a cloud security solutions provider focused on providing cloud security solutions to enterprise customers.

Holm Security

Holm Security

Holm Security are taking vulnerability assessment into the next generation as a cloud service.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

Oceania Cyber Security Centre (OCSC)

Oceania Cyber Security Centre (OCSC)

OCSC engages with government and industry to conduct research, develop training opportunities and build capacity for responding to current and emerging cyber security issues.

Contechnet Deutschland

Contechnet Deutschland

Contechnet Deutschland started as a specialist in the area of IT disaster recovery and has since broadened its portfolio into information security and data protection.

RedHunt Labs

RedHunt Labs

RedHunt Labs is a premier Cybersecurity Solutions provider, offering Attack Surface Management solution 'NVADR' and Penetration Testing services.

du

du

du is a telecommunications service provider providing UAE businesses with a vast range of ICT and managed services.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

Nine23

Nine23

Nine23 are a highly focused cyber security solutions company that defines, builds and manages innovative services, enabling end-users to use technology securely in today’s workplace.

GreenPages Technology Solutions

GreenPages Technology Solutions

GreenPages provide expert strategic guidance and proven cloud-era solutions for our clients. Every day we help organizations leverage the cloud securely with less risk and cost.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Badge

Badge

Badge authenticates you on-demand for every application, on any device, without storing any secrets.

CODA Intelligence

CODA Intelligence

CODA's AI-powered attack surface management platform helps you sort out the important remediations needed in order to avoid exploits on your systems.