Distributed denial-of-service attacks are becoming more common, more powerful and the botnets that support them more resilient.
It isn’t just your imagination or media hype — denial-of-service attacks were more common in 2012 than ever before. Prolexic Technologies logged a 53 percent increase in the attacks for last year over the year before, and the largest single culprit seems to be the itsoknoproblembro DDOS toolkit.
According to the security company’s most recent quarterly report on DDOS activity the attacks not only are becoming more common but also more powerful, and the botnets that support them are more resilient. Itsoknoproblembro was used to launch high-profile distributed attacks against banking companies in late 2012 and had a role in most of the attacks analyzed by the company in the fourth quarter. A number of government agencies also were among the organizations targeted.
Prolexic provides protection against DDOS attacks, absorbing or dropping attack traffic before it reaches its targets. It regularly analyzes attack data to report on trends.
Although most of the high profile attacks caused some disruptions in services, they generally failed to take their targets offline completely. But defending against them is becoming more challenging as itsoknoproblembro and its botnets evolve. The average volume of attack traffic grew to 5.9 gigabits/sec in the last quarter of 2012, up from 5.2 gigabits/sec a year earlier, and the company recorded seven high-bandwidth attacks of 50 gigabits/sec or more.
One of the most interesting trends is the sharp increase in DDOS attacks aimed at Web applications rather than the network. Although network attacks still account for 75 percent of DDOS attacks, the number of application layer attacks is growing at a faster rate. Application layer attacks grew by 30 percent in the fourth quarter of 2012 over the same quarter a year earlier, and jumped by more than 70 percent over the previous quarter.
What does this mean to administrators defending their systems from these attacks? For one thing, application attacks are likely to be stealthier because they rely on malformed requests to specific applications that more slowly consume a server’s resources rather than on volume directed against a network. While you’re watching for barbarian hordes to attack your gates, individual intruders might already be quietly chipping away inside your walls.
It also is a reflection of the continuing cat-and-mouse game going on between attackers and defenders, with methods and vectors of attack rapidly shifting. The itsoknoproblembro kit evolved throughout the year, modifying file names and methods for executing attacks to evade detection and remediation. Defenders were able to keep up with these changes, but have not been able to get out ahead far enough to stop the attacks.
This also is reflected in the botnets being used to deliver attacks. “Some of the newer botnets have resilient command and control architectures where individual bots can become command and control servers,” researchers found. “This means that for practical reasons the individual bots themselves must ultimately be identified and removed.”
Taking down individual bots can be a daunting task in countries where there is little official cooperation. Unfortunately, that is where many of the bots reside. China was the top source of attack traffic through last year, by a commanding margin. “Prolexic expects that despite continued efforts in bot takedowns, many new botnets will emerge and there will remain a significant number of active bots for the foreseeable future,” the report concludes.
So keep watching the gates and keep an eye on your applications. This year could be a rocky one, especially if you have ticked anyone off.