Akamai: DDoS attacks on the rise, become more specialized

Akamai's new State of the Internet/Security: Web Attack report says DDoS attacks increased 16% since 2017. It also says China and Russia launch the most credential abuse attacks on the hospitality industry.

Akamai: DDoS attacks on the rise, become more specialized
Thinkstock

Cyber defenders need to stay on their toes, as DDoS attacks are still on the rise. According to Akamai Technologies’ Summer 2018 State of the Internet/Security: Web Attack report, the number of recorded DDoS attacks increased 16 percent since last year, and attackers are devising new and advanced DDoS methods.

Since last year, there has been a 4 percent increase in reflection-based DDoS attacks, a 38 percent increase in application-layer attacks like SQL injection or cross-site scripting and 1.35 terabyte per second memcached reflector attack – the largest DDoS attack to hit the internet yet.

Biggest DDoS attack to date

As for the memcached reflection attack vector, Akamai saw the largest ever attack on the internet in February. During the recording-setting 1.35 Tbps attack against a software company, attackers opened a gushing firehose of traffic by taking advantage of “memcached servers as reflectors that enabled attack amplification at orders of magnitude greater than previously seen with other reflection attacks.” Fortunately admins got busy mitigating the issue, which cut the 50,000 vulnerable servers down to a few thousand.

A couple other highlights include that Mirai is not dead as attacks with new variants are still ongoing. Akamai also saw multi-vector reflection attacks using obscure vectors such as Intelligent Platform Management Interface (IPMI) and Internet Key Exchange (IKE) protocols.

2 uncommon DDoS attack examples

DDoS is not solely about volume to clog the pipes. Akamai described two uncommon, adaptable and interesting attack patterns that proves that.

One of the new attacks started from a YouTube tutorial by a 12-year-old developer; it was aimed at the entire /24 subnet. Another one of these attacks came from a group of minors that coordinated attacks over Steam and IRC. “Rather than using a botnet of devices infected with malware to follow hacker commands, these attacks were carried out by a group of human volunteers.” Primarily the attack was a very large SYN flood measuring in excess of 170 Gbps and 65 Mpps (million packets per second); the “Syn ACK flood reflected off legitimate FTP and web servers across a host of geographies.”

The next uncommon attack example included a series of attacks that pounded a company’s DNS servers instead of its corporate website. The attack continued for nearly two days, with the attackers adapting the nature of their attack due to mitigation efforts.

Akamai explained, “The majority of the attack traffic seen was volumetric DNS queries, which ties up network resources and DNS server processing power by, for example, causing the servers to look for random, non-existent names. DNS traffic peaked at 1.8 Gbps and 2.5 Mpps, but rarely for more than several minutes at a time. The attack also included a secondary vector, a TCP-based attack peaking at 120 Gbps and 18.6 Mpps, consisting of PSH/ACK packets.”

Hospitality industry: China, Russia fingered for most credential abuse attacks

The report also drilled down into attacks directed against the hospitality industry, analyzing 112 billion bot requests and 3.9 billion malicious login attempts against sites belonging to airlines, cruise lines, hotels, online travel, automotive rental and transport organizations.

Cruise lines are the target of twice as many bots than those connecting to airline and hotel sites, with Akamia capturing 50 billion events that targeted cruise lines. Yet hotel and resort sites are hit with the most credential abuse connections.

When it comes to credential abuse for the travel industry, Akamai’s geographic analysis of attack traffic aimed at hotels, cruise lines, airlines and travel sites showed most originating from Russia and China.

Akamai wrote: “Attack traffic origination against the hospitality and travel industry from China and Russia combined was three times the amount of attacks originating in the U.S.”

Attack traffic originating from Indonesia came in third.

“Approximately half of the credential abuse traffic from Russia, China, and Indonesia is aimed at hotels, cruise lines, airlines, and travel sites,” according to Akamai.

Nearly 40 percent of the bot traffic targeting hotel and travel sites was classified as “impersonators of known browsers” – a vector for fraud. The report noted that imitation of mobile device browsers is on the rise; it’s one of the most common types of browser imitator. The next most common type was classified as “other bot,” with the third most common type of bot traffic coming from web search engines.

Breathing new life into ransomware

I highly recommend reading the entire report, but I’d also like to highlight some examples written by Rik Ferguson, vice president of security research at Trend Micro. He was talking about how technology constantly changes and attacks do, too.

Here is one scary example: Now that Business Email Compromise (BEC) is a “low-paying gig,” attackers have researched a company, “pulled all the online video, audio and still footage of your CEO, and fed it onto an off-the-shelf AI video manipulation tool. They can modify footage in real time, compositing the image of the CEO onto the face and body of the criminal caller. Not only that but the audio allows them to exactly replicate the tone of voice as they initiate a video call to the Director of Finance.” Being late on Friday, the attackers behind this, pretending to be someone else, claim the invoice “must” be paid immediately.

Another example highlighted how attackers are breathing new life into ransomware attacks. Ferguson wrote:

Another attack group is focusing on ways to repurpose the failing ransomware model. Last month, they took control of a fleet of autonomous delivery trucks, rerouting all of them to downtown Manhattan at only 3 mph. Very quickly it was gridlock, but still it took the victim almost five hours to agree to pay the ransom. Not quick enough for the attackers.

They turned their attention to London’s Heathrow airport, where they have a connection into the baggage handling system. Taking a leaf from the DDoS Handbook for Success, they sent a message to the airport, “at 2pm we will shut down your baggage handling system until you pay one meeeellion dollars. At midday we will demonstrate our ability to do this, you will have three hours to pay.”

The airport couldn’t take the baggage handling system offline, so it paid a million bucks, which is “small-change compared to the potential compensation, loss and brand damage.”

Ferguson suggested, “Information Security is no longer the Department of No, it becomes the Department of Change.”

Lisa Beegle, senior manager of security intelligence at Akamai, added, “This report shows how malicious actors have become more adaptive to enterprise defenses by creating more sophisticated attack methods. Technology evolves at a rapid pace, and security can no longer be put on the backburner – solutions need to be designed with the evolving cyber threats of the future in mind.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.