sb-as logo
Story image

DDoS attacks combining new and tried-and-true techniques

02 Aug 2018

In the second quarter of 2018, DDoS botnets attacked online resources in 74 countries, according to a Kaspersky Lab report on botnet-assisted DDoS attacks.

For the first time in the history of DDoS Intelligence reports, Hong Kong found itself among the top three most attacked countries, coming second: its share increased fivefold and accounted for 17% of all botnet-assisted DDoS attacks.

China and the US remained first and third respectively, while South Korea slid down to fourth.

The most attacked resources in Hong Kong were hosting services and cloud computing platforms.

Interestingly, the second quarter saw Hong Kong replaced by Vietnam in the top 10 rating of countries hosting the most active C&C servers.

The US, meanwhile, became the leader of this rating, accounting for almost half (45%) of all active botnet C&C servers during the reporting period.

Activity by Windows-based DDoS botnets decreased almost sevenfold, while the activity of Linux-based botnets grew by 25%.

This resulted in Linux bots accounting for 95% of all DDoS attacks in the quarter, which also caused a sharp increase in the share of SYN flood attacks – up from 57% to 80%.

“There can be different motives for DDoS attacks – political or social protest, personal revenge, competition,” says Kaspersky DDoS protection team project manager Alexey Kiselev.

“However, in most cases, they are used to make money, which is why cybercriminals usually attack those companies and services where big money is made.

During the reporting period, cybercriminals delved deep into the past and started using some very old vulnerabilities in their attacks.

For example, experts reported DDoS attacks involving a vulnerability in the Universal Plug-and-Play protocol known since 2001, while the Kaspersky DDoS Protection team observed an attack organised using a vulnerability in the CHARGEN protocol that was described as far back as 1983.

Despite the considerable length of service and the protocol’s limited scope, many open CHARGEN servers can be found on the internet.

They are mostly printers and copiers.

However, the mastering of old techniques has not prevented cybercriminals from creating new botnets.

For example, in Japan 50,000 video surveillance cameras were used to carry out DDoS attacks.

One of the most popular methods of monetising DDoS attacks remains the targeting of cryptocurrencies and currency exchanges.

A typical case is that of Verge cryptocurrency which saw hackers attack some mining pools and steal 35 million XVGs in the ensuing confusion.

“DDoS attacks can be used as a smokescreen to steal money or to demand a ransom for calling off an attack,” Kiselev says.

“The sums of money gained as a result of extortion or theft can amount to tens or hundreds of thousands and even millions of dollars.”

Gaming platforms continue to be targeted as well, particularly during eSports tournaments.

Moreover, according to Kaspersky Lab, DDoS attacks affect not only game servers (which is often done to extort a ransom in return for not disrupting the competition) but also the gamers themselves who connect from their own platforms.

An organised DDoS attack on a team’s key players can easily result in that team losing and being eliminated from a tournament.

Cybercriminals use similar tactics to monetise attacks on the streamer market – channels streaming broadcasts of video games.

Competition in this segment is intense, and by using DDoS attacks cybercriminals can interfere with online broadcasts and, consequently, a streamer’s earnings.

Story image
Microsoft releases latest edition of Security Endpoints Threats report
he latest iteration of the report sheds more light on the difference in exposure and response to cyber threats between developed and developing countries in APAC.More
Story image
Banks failing customers when it comes to mobile app security
"Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim's card.”More
Story image
Cyber attacks use LinkedIn to target companies and employees
The attacks, which ESET researchers have called Operation In(ter)ception, took place from September to December 2019 and are notable for using LinkedIn-based spearphishing. More
Story image
Keyfactor and Primekey announce partnership to automate PKI
“PrimeKey and Keyfactor share a mutual respect and mission to provide trust and security in zero-trust networks and manufacturing environments.”More
Story image
Why DX is not complete without a transformed security architecture
Secure Access Services Edge (SASE) is the process by which core WAN edge capabilities like SD-WAN, routing, and WAN optimisation at branch locations are integrated with cloud-based security services like secure web gateways, firewall-as-a-service, cloud access security brokers, and more.More
Story image
Remote working trend bolsters cybersecurity investment - but downturn predicted
A new report from Canalys indicates investment in cybersecurity has increased 9.7% - but worsening economic conditions could turn the statistic around.More