Malicious actors switch tactics to build, deploy and conceal powerful botnets
Targeting PaaS and SaaS vendors; and CMSes such as WordPress and Joomla
DISTRIBUTED Denial of Service (DDoS) attacks are continuing in high numbers, backed by more insidious botnets, according to the Prolexic Q2 2014 Global DDoS Attack Report.
Prolexic Technologies is now part of Akamai, and has produced the quarterly Global DDoS Attack Report since 2011. The report provides analysis and insight into the global DDoS threat landscape, Akamai said in a statement.
“DDoS attacks have continued in high numbers and with high average and peak bandwidths. They can take out an entire data centre by overwhelming network bandwidth,” said Stuart Scholly, senior vice president and general manager of security at Akamai Technologies.
“Behind these powerful attacks are changing tactics to build, deploy and conceal powerful botnets. Server-side botnets are preying on web vulnerabilities and reflection and amplification tactics are allowing attackers to do more with less,” he added.
When building server-side botnets, attackers have been targeting Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) vendors with server instances running software with known vulnerabilities, such as versions of the Linux, Apache, MySQL, PHP (LAMP) stack and Microsoft Windows Server operating systems.
They have also targeted vulnerable versions of common web Content Management Systems (CMS) such as WordPress and Joomla or their plugins, Akamai said.
While the use of server-based botnets has increased, the itsoknoproblembro (Brobot) botnet, also based on server infection, has remained a threat.
Attacks in the second quarter of 2014 provided indications that the botnet is still in place from its earlier use in the Operation Ababil attacks against financial institutions in 2011-2013. Once thought to have been cleaned up, it appears the botnet has been surreptitiously maintained.
Reflection and amplification attacks were more popular in the second quarter of 2014 as compared with the same period in 2013, representing more than 15% of all infrastructure attacks.
These attacks take advantage of the functionality of common Internet protocols and misconfigured servers.
While the use of NTP (Network Time Protocol) reflection attacks was down significantly in the second quarter of 2014, likely due to community cleanup work, SNMP (Simple Network Management Protocol) reflector attacks surged during the quarter, filling the void.
Q2 2014 highlights:
Compared with the second quarter of 2013
22% increase in total DDoS attacks
72% increase in average attack bandwidth
46% increase in infrastructure (Layer 3 and 4) attacks
54% decrease in average attack duration: 38 vs 17 hours
241% increase in average peak bandwidth
Compared to the first quarter of 2014
0.2% decrease in total DDoS attacks
14% decrease in average attack bandwidth
15% decrease in application (Layer 7) attacks
0.2% decrease in average attack duration: 17.38 vs 17.35 hours
36% decrease in average peak bandwidth
Analysis and emerging trends
Attacks involving server-side botnets have only been observed by Akamai in the most sophisticated and carefully orchestrated DDoS campaigns, the company said in its statement.
Their high-volume infrastructure attacks have had signatures that appear to be specially crafted to avoid detection by DDoS mitigation technology. Because of the effectiveness of these attacks, and the widespread availability of vulnerable cloud-based software, they are likely to continue and may be monetised in the underground DDoS marketplace.
They potentially pose a significant danger to businesses, governments and other organisations, Akamai said.
These DDoS trends and more are discussed in detail in Prolexic's Q2 2014 Global DDoS Attack Report. To request the full report, go here.
Against DDoS attacks, an end-to-end approach needed
First-ever case of mobile trojan spreading via ‘alien’ botnets
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.