Kaspersky has published, on Securelist, its DDoS Q2/2019 report. It shows that the volume of DDoS attacks is down compared to Q1 and is running ahead of the same period in 2018 (+18%). These numbers are pretty much as expected. However, there are some interesting little titbits hidden away in the report.
In his comments in the press release Alexey Kiselev, Business Development Manager on the Kaspersky DDoS Protection team said: “Traditionally, troublemakers who conduct DDoS attacks for fun go on holiday during the summer and give up their activity until September.
“However, the statistics for this quarter show that professional attackers, who perform complex DDoS attacks, are working hard even over the summer months. This trend is rather worrying for businesses. Many are well protected against high volumes of junk traffic, but DDoS attacks on the application layer require to identify illegitimate activity even if its volume is low. We therefore recommend that businesses ensure their DDoS protection solutions are ready to withstand these complex attacks.”
Smart attacks increase
While the number of attacks dropped overall, the drop was not consistent across all types of attacks. Kaspersky saw an increase in what it calls “Smart” attacks. It defines them as complex to organise and repel. These are not attacks launched by casual attackers. They are most likely to be associated with highly organised cyber crime gangs.
These groups are very different from hacktivists who use DDoS to disrupt their targets. Organised gangs using DDoS to overwhelm defences and distract defenders. They then launch their real attacks and are often successful.
Attacks on APIs continue to grow
Attacks against the application layer also continues to grow year on year. As organisations transform themselves towards being increasingly digital, they use API technology to connect to suppliers and customers. Some APIs are properly designed. Many more, however, are not fully tested or maintained yet they have access to core It systems.
What makes these attacks hard to deal with is that they look like legitimate requests. They get past existing systems because there is nothing that sets off the alerts. They focus on resource consumption across the network and key servers.
Has Russia’s DDoS activity disappeared underground?
The researchers noted that Russia had dropped out of the top ten locations for DDoS attacks saying: “the latter’s absence in the Top 10 by number of C&C botnets is particularly striking.” But all might not be as it seems.
The Kaspersky report was written before Trend Micro released its latest piece of intelligence around DDoS. In its report, Trend Micro researcher Makoto Shimamura, Cyber Threat Research, Trend Micro was referring to a new variant of the Mirai botnet. Shimamura said: “Compared to previous variants, however, we found this sample distinct because the cybercriminals placed the command and control (C&C) server in the Tor network for anonymity.
“This may be a developing trend among IoT malware developers, given that malicious actors’ C&C servers in the surface web can be reported and taken down — and it’s one trend that cybersecurity researchers, enterprises, and users alike may have to start defending against.”
Taken together, the Kaspersky and Trend Micro research provides a good explanation for the demise of Russia’s position on this list.
Enterprise Times: What does this mean
DDoS is never far from the news, even if it is being blamed for poor system practices such as that which affected Cloudflare. Interestingly, Kaspersky cites research from NSFOCUS that shows a correlation between DDoS and cryptomining. It claims that when cryptomining is delivering lower revenues, cyber criminals turn to DDoS. The relationship between the two could also explain the amount of effort put into understanding APIs. Both take advantage of them and it may be that the rise in API attacks is designed to provide cyber criminals with a list of potential targets for cryptomining.
That aside, the continued success of DDoS attacks is a cause for worry. Apart from cyber criminals, the only people to benefit from this rise are vendors offering DDoS mitigation services. They are seeing business booming. However, companies looking to take advantage of such services will need to think carefully about who they choose.
Overnight, Cloudflare dropped far right forum 8chan. 8chan then signed a deal with BitMitigate, an established competitor to Cloudflare. According to Ars Technica, this resulted in the company that provides BitMitigate with its cloud infrastructure cutting off its service. That means that any other company using BitMitigate also lost protection. It is a lesson for all IT teams, when buying a provider, always check what your provider is doing and have an alternative in case something goes wrong.