DDoS attacks remain high in Q2: 241% increase in avg peak bandwidth reported

Distributed denial-of-service (DDoS) attacks continue in high numbers and with high average and peak bandwidths throughout the second quarter of 2014, according to a new report by Prolexic, an Akamai company. The ‘Prolexic Quarterly Global DDoS Attack Report Q2 2014’ report noted that number of DDoS attacks increased 22 percent over Q2 figures a year ago.

“Behind these powerful attacks are changing tactics to build, deploy and conceal powerful botnets. Server-side botnets are preying on web vulnerabilities and reflection and amplification tactics are allowing attackers to do more with less,” Stuart Scholly, senior vice president and general manager of Security at Akamai Technologies said.

However, the average duration of the attacks declined from last year, decreasing 54 percent from 38 hours to just 17 hours. In Q2 2014, the average attack bandwidth was up 72 percent from the same quarter in 2013, and moreover average peak bandwidth increased by staggering 241 percent.

When building server-side botnets, attackers have been targeting Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) vendors with server instances running software with known vulnerabilities, such as versions of the Linux, Apache, MySQL, PHP (LAMP) stack and Microsoft Windows server operating systems.

They have also targeted vulnerable versions of common web Content Management Systems (CMS) such as WordPress and Joomla or their plugins.

While the use of server-based botnets is on the rise, the itsoknoproblembro (Brobot) botnet, also based on server infection, lurks in the shadows and appears poised for a strategically targeted comeback, the report added. Attacks in Q2 provide indications that the botnet is still in place from its earlier use in the Operation Ababil attacks against financial institutions in 2011-2013. Once thought to have been
cleaned up, it appears the botnet has been surreptitiously maintained.

Reflection and amplification attacks were more popular compared to Q2 last year as well as last quarter, representing more than 15 percent of all infrastructure attacks. These attacks take advantage of the functionality of common Internet protocols and misconfigured servers. While the use of NTP reflection attacks was down significantly in Q2, likely due to community cleanup work, SNMP reflector attacks surged in Q2, filling the void.

Attacks involving server-side botnets have only been observed in the most sophisticated and carefully orchestrated DDoS campaigns. Their high-volume infrastructure attacks have had signatures that appear to be specially crafted to avoid detection by DDoS mitigation technology. Because of the effectiveness of these attacks, and the widespread availability of vulnerable cloud-based software, they are likely to continue and may be monetised in the underground DDoS marketplace. They pose a significant danger to businesses, governments and other organisations.