Distributed Denial of Service (DDoS) attacks aimed at disruption remain a massive problem for businesses big and small, despite the shutdown of the Webstresser DDoS-for-hire service. Attackers are also increasingly striking outside of normal business hours, researchers have found.
A new report shows attack volumes rose 50% to an average 3.3 Gbps during May, June and July 2018, from 2.2 Gbps in Q1. Despite a 36% decrease in the overall number of attacks – likely as a result of DDoS-as-a-service website Webstresser being shuttered in an international police operation – attack volumes increased.
46% of incidents used two or more vectors in Q2, with a total of 9,325 attacks recorded during the quarter. That’s 102 per day, on average. A 50% increase in hyper-scale attacks (80 Gbps+) was also recorded, while the most complex attacks used 13 vectors in total, researchers found.
Broadly speaking, DDoS attacks can be divided into three main categories, which point to the attack vectors employed by bad actors:
- Volume Based Attacks – bad actors saturate the bandwidth of the attacked site (measured in bits per second / Bps)
- Protocol Attacks – attackers consume actual server resources (measured in packets per second / Pps).
- Application Layer Attacks – hackers seek to crash the web server (measured in requests per second / Rps)
High-volume attacks were assisted by Memcached reflection, SSDP reflection and CLDAP. The highest attack bandwidth was recorded at 156 Gbps (gigabits per second), while the total duration of attacks during the quarter was 1,221 hours.
Attackers used two vectors 17% of the time, and three vectors 16% of the time. The most-frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%).
773 attacks used the Memcached reflection amplification technique, while the SSDP reflection technique generated the greatest proportion of DDoS packets.
New data from a similar study, by Nexusguard, recently showed that the number of unguarded Memcached servers is dropping, yet many remain vulnerable to attacks.
The same research uncovered that DNS amplification attacks have increased 700% worldwide since 2016 and, in the first quarter of 2018, 55 DNS amplification attacks relied on vulnerable Memcached servers to amplify their DDoS efficiency by a factor of 51,000.