Kaspersky Lab has published its report looking at botnet-assisted DDoS attacks for the first quarter of 2018. The company’s experts note an increase in activity by both old and new botnets, growth in the popularity of amplification DDoS attacks and the return of long-lasting (multi-day) DDoS attacks.
In the first quarter of 2018, DDoS botnets attacked online resources in 81 countries. The countries experiencing the largest number of attacks were once again China, the US and South Korea, which all continue to lead in terms of the number of servers available to attackers and, hence, the number of sites and services hosted on them. Hong Kong and Japan, meanwhile, replaced the Netherlands and Vietnam among the top 10 most targeted countries.
The changes to the 10 countries hosting the most C&C servers were more pronounced, with Italy, Hong Kong, Germany and the United Kingdom replacing Canada, Turkey, Lithuania and Denmark. This is likely down to the number of active C&C servers of the Darkai (a clone of Mirai) and AESDDoS bots increasing dramatically, and the old Xor and Yoyo botnets resuming their activities. Although most of these botnets use Linux, the proportion of Linux-based botnets fell slightly in the first quarter compared to the end of last year, accounting for 66% vs 71% in 2017.
In addition, after a short respite, it appears long-lasting attacks are back: the longest DDoS attack of the quarter lasted 297 hours (more than 12 days). The last time we saw a longer attack was at the end of 2015.
The end of the reporting period was marked by the Memcached floods that were unprecedented in terms of their power – in some cases exceeding 1TB. However, Kaspersky Lab experts expect their popularity to be short-lived because Memcached flood attacks not only affect their targets, but also the companies unwittingly involved in carrying out the attacks.
For example, in February Kaspersky DDoS Protection technical support was contacted by a company complaining that their communication channels were overloaded, leading them to suspect they were being subjected to a DDoS attack. It turned out that one of the company’s servers with the vulnerable Memcached service was being used by criminals to attack another service and generated such huge volumes of outgoing traffic that the company’s own web resources crashed. That’s why these attacks are doomed to be short-lived; the unwitting accomplices in Memcached attacks soon notice the higher load and quickly patch the vulnerabilities to avoid losses, thereby reducing the number of servers available to attackers.
Overall, the popularity of amplification attacks, which was previously on the decline, gained momentum in the first quarter. For example, we registered a rare type of attack, despite its effectiveness, in which the LDAP service was used as an amplifier. Along with Memcached, NTP and DNS, this service has one of the biggest amplification rates. However, unlike Memcached, LDAP junk traffic is barely capable of clogging the outgoing channel completely, making it more difficult for the owner of a vulnerable server to identify and remedy the situation. Despite the relatively small number of available LDAP servers, it is possible that this type of attack will become a hit on the Darknet in the coming months.
“Exploiting vulnerabilities is a favorite tool for cybercriminals whose business is the creation of DDoS botnets. However, as the first few months of the year have shown, it’s not only the victims of DDoS attacks that are affected, but also those companies with infrastructure that includes vulnerable objects. The events of the first quarter reaffirm a simple truth: the platform that any company uses to implement multilayered online security must include regular patching of vulnerabilities and permanent protection against DDoS attacks,” comments Alexey Kiselev, Project Manager on the Kaspersky DDoS Protection team.