Distributed denial of service (DDoS) perpetrators changed tactics in Q3 2013 to boost denial of service attack sizes and hide their identities. By employing a type of DDoS attack called a reflection attack, which leverages the capabilities of vulnerable servers, malicious actors launched high-bandwidth attacks with fewer resources with the intent to cause outages at their intended targets.
As reported in Prolexic’s Q3 2013 Global Attack Report, the reflection attack method grew in popularity among malicious actors by 265% year-over-year compared to Q3 2012 and by 70% in just the past quarter. Attackers are flocking to these distributed reflection denial of service (DrDoS) attacks, because this type of attack method provides them with significant benefits.
One benefit of DrDoS attacks for the malicious actor is the obscuring of the source of the attack (anonymity). By going through a victim server, the original attacker’s identity is hidden. Instead, it looks like the victim servers initiated the attack against the target.
The other benefit of DrDoS attacks for malicious actors is the ability to use the bandwidth of intermediary victim servers to make the attack more powerful. Because the amplification factor is so large – for one type of protocol attack the amplification factor is 17 – less outbound bot traffic is needed and the botnet can be much smaller.
In DrDos attacks there are always two or more victims: the malicious actor’s intended target and the intermediary servers. The intermediary victims usually participate unknowingly. They aren’t infected with malicious code. Instead, they may have a server feature turned on that DrDoS attackers have learned to exploit opportunistically – typically a common network protocol such as DNS or CHARGEN.
In Q3 there was a big jump in UDP attacks and a corresponding drop in SYN attacks. The increase in UDP attacks is part of this reflection attack trend.
Other DDoS trends identified in Q3 was related to the number of attacks. We found that the total number of DDoS attacks launched against our clients in Q3 2013 remained high and represented the highest total ever for one quarter. Usually Q3 is a relatively quiet month, but the DDoS attack trend showed a consistently heightened level of DDoS activity around the world over the last six months.
Since Q3 2013, we have seen a 58 percent increase in total DDOS attacks, 101 percent increase in application layer (Layer 7) attacks, 48 percent increase in infrastructure (Layer 3 & 4) attacks and 12.3 percent increase in the average attack duration.
Prolexic’s Q3 2013 Global DDoS Attack Report is available as a free PDF download. It includes a detailed analysis of the DDoS trend toward DrDoS reflection attacks. The analysis examines DrDoS attack methods, tools and services – specifically CHARGEN attacks being integrated into the DDoS threatscape – and provides steps for remediating CHARGEN attacks.