Cyber-criminals are shifting away from cheap DDoS attacks that are easy to implement to more complex and focused ones, according to a new report from Kaspersky.
In its quarterly DDoS Intelligence report, the firm said that there was also a nearly fourfold increase in the number of DDoS attacks. Around 74 countries were targeted by DDoS attacks in Q1 and as in the previous quarter, the vast majority of those resources were located in just ten countries, with Ukraine, Germany and France all making a new appearance.
The report said that over 70 per cent of attacks in the first quarter lasted no longer than four hours. At the same time, there was a reduction in the maximum attack duration with the longest DDoS attack lasting just eight days (the longest registered attack in Q4 2015 lasted almost two weeks). During the reporting period, the maximum number of attacks against a single target increased: 33 attacks compared to 24 in the previous quarter.
However, a fall was reported in the number of attacks targeting communication channels, accompanied by an increase in the number of application-layer attacks. The firm suggested amplification attacks, which regained popularity last year, have begun to lose their appeal.
The confirmed a trend towards reduced duration and increased frequency combined with greater complexity. During the first three months of the year, Kaspersky Lab resources countered almost as many attacks as the whole of 2015. The majority of those attacks were also short-lived application-layer attacks.
Evgeny Vigovsky, head of Kaspersky DDoS Protection, Kaspersky Lab, said that almost all telecom companies have learned to cope with the most widespread (and, as a rule, technologically ‘simple') types of DDoS attacks.
“This has forced cyber-criminals to turn to more complex and expensive – but more effective – methods in order to improve the efficiency of their work. Attacks at the application level are a good example.
“Only a highly professional anti-DDoS solution with an intelligent junk-filtering algorithm is capable of detecting genuine user requests from the general flow. That's why companies, especially those whose business depends on the availability of online services, can no longer rely solely on the capabilities of an Internet provider,” he added.
Carl Herberger, vice president of security solutions at Radware, told SCMagazineUK.com that the botnets are being distributed in ways in which it is very difficult to stop them.
“They are being launched from cloud services providers like Amazon Web Services, they are increasingly infecting the Internet of Things (IoT) causing a zombie-like army which is hard to eradicate and more difficult to halt and lastly they know how to encrypt attacks so that today's casual security architectures will not notice them,” he said.
Dave Larson, COO at Corero Network Security, told SC that due to the fact that botnet attacks are launched and then disappear without leaving enough information for victims to trace its origins – effectively acting like a giant cloud computer – organisations really have no choice but to defend themselves at the edges of the network.
“The only proper defence is to use an automatic, always-on, in-line DDoS mitigation system, which can monitor all traffic in real-time, negate the flood of attack traffic at the Internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, such as data breaches,” he said.
James Henry, UK Southern Manager at Auriga Consulting, told SC that most organisations simply seek to batten down the hatches when it comes to a DDoS attack and hope for the best.
“Their security stance is defensive, not proactive, and few have access to the kind of intelligence that would provide them with the forewarning needed to weather and rapidly recover from these attacks,” he said.“That's because the monitoring of botnet activity and accompanying chatter on legitimate and deep web social media networks and forums that typically precedes these types of attack simply isn't being monitored. Like an incoming storm, there are always signs to indicate and forecast DDoS attacks if you know how to read them but you need access to that data,” added Henry.