Biz & IT —

Fueled by super botnets, DDoS attacks grow meaner and ever-more powerful

Average amount of bandwidth used in DDoS attacks spiked eight-fold last quarter.

Fueled by super botnets, DDoS attacks grow meaner and ever-more powerful

Coordinated attacks used to knock websites offline grew meaner and more powerful in the past three months, with an eight-fold increase in the average amount of junk traffic used to take sites down, according to a company that helps customers weather the so-called distributed denial-of-service campaigns.

The average amount of bandwidth used in DDoS attacks mushroomed to an astounding 48.25 gigabits per second in the first quarter, with peaks as high as 130 Gbps, according to Hollywood, Florida-based Prolexic. During the same period last year, bandwidth in the average attack was 6.1 Gbps and in the fourth quarter of last year it was 5.9 Gbps. The average duration of attacks also grew to 34.5 hours, compared with 28.5 hours last year and 32.2 hours during the fourth quarter of 2012. Earlier this month, Prolexic engineers saw an attack that exceeded 160 Gbps, and officials said they wouldn't be surprised if peaks break the 200 Gbps threshold by the end of June.

The spikes are brought on by new attack techniques that Ars first chronicled in October. Rather than using compromised PCs in homes and small offices to flood websites with torrents of traffic, attackers are relying on Web servers, which often have orders of magnitude more bandwidth at their disposal. As Ars reported last week, an ongoing attack on servers running the WordPress blogging application is actively seeking new recruits that can also be harnessed to form never-before-seen botnets to bring still more firepower.

Also fueling the large-scale assaults are well-financed attackers who are increasingly able to coordinate with fellow crime organizations, Prolexic officials wrote in quarterly global DDoS report published Wednesday.

"These types of attack campaigns appear to be here to stay as a staple on the global threatscape," they wrote. "Orchestration of such large attack campaigns can only be achieved by having access to significant resources. These resources include manpower, technical skills and an organized chain of command."

The most prominent targets of DDoS attacks over the past six months have been the nation's largest banks, which at times have become completely unreachable following above average floods of traffic. Most of the assaults were preceded by online posts that showed the writer had foreknowledge of what was about to happen. The posts were penned by self-proclaimed members of Izz ad-Din al-Qassam Brigades, the military wing of the Hamas organization in the Palestinian Territories, and said the attacks were in retaliation for videos posted to YouTube that were insulting to Muslims. The Prolexic report cast doubt on some of that narrative.

Prolexic "believes these attacks go beyond common script kiddies as indicated by the harvesting of hosts, coordination, schedules and specifics of the selected attack targets," the report stated. "These indicators point to motives beyond ideological causes, and the military precision of the attacks hints at the use of global veteran criminals that consist of for-hire digital mercenary groups."

Not the only one

Prolexic is by no means the only DDoS mitigation service that's seeing more powerful attacks. For 45 minutes on Tuesday, San Francisco-based CloudFlare's network was bombarded by data sent by more than 80,000 servers across the Internet that all appeared to be running WordPress. Over the past half-year, CloudFlare has seen a dramatic uptick in attacks that target website applications, such as those that provide encrypted HTTPS sessions. In many cases, those types of attacks are much harder to block.

"Sometimes the nastiest attacks aren't the biggest ones," CloudFlare CEO Matt Prince told Ars. "The nasty attacks that we're seeing right now are the ones that go after the underlying application by doing something like sending a ton of traffic to a log-in page."

Attackers in such cases will unleash scripts that enter a legitimate user name along with passwords that are known to be invalid. When repeated millions of times, the technique overwhelms targeted systems as servers perform database lookups, report the authentication failure, and then record it in internal logs.

In addition to increasingly well-funded and organized attackers and new techniques, the growing firepower of DDoS attacks is also getting a boost from the proliferation of do-it-yourself Web applications such as WordPress and Joomla, Prince said. In that respect these applications, which are designed to help people with only moderate levels of technical expertise deploy websites, could become to this decade what early versions of Microsoft's Windows XP were to the previous decade.

"It is clear that if the story of the 2000s was how easy it was to compromise desktop PCs and turn them into spam-sending engines or botnets to do other nefarious things, the story of the 2010s is going to be how easy it is to compromise server software, which has gotten very consumerized and doesn't necessarily have the best security in place," Prince said. "If a server is 10 times as powerful as a desktop computer then you only need one-tenth to do the same level of damage."

Channel Ars Technica