Get best of the week

Denial of Service Type: How DDoS is Progressing

Good old DDoS ... Every year we analyze how this segment of cybercrime is changing, and according to the results of the past and the beginning of this year, we see that the number of such attacks has grown by more than 1.5 times. During this time, attackers significantly increased the power of attacks and changed tactics. And besides, DDoS has become even more accessible: judging by how sharply the number of attacks on educational resources and various "electronic diaries" has recently increased, the school-hacker is increasingly discovering the world of DDoS. In this post, we will talk about the DDoS attacks that we recorded in 2019 and at the beginning of 2020, and how DDoS has changed recently.



Fast and powerful


Hackers sped up. Low-power attacks that last several days are now uninteresting to them. For example, the longest attack for the reporting period lasted about a day (a year earlier, the attackers “tortured” the server for 11 days and 16 hours).

Of course, the attackers did not loosen their grip - in contrast to the duration, the power of DDoS attacks increased. The most powerful attack over the past period was carried out with an intensity of 405 Gbit / s. This, of course, is slightly lower than the record attack of the 2018 model (450 Gbit / s) for the Rostelecom network, but on average, the DDoS power indicators still increased. The change in hacker tactics can be explained by the fact that during the attack, botnets, which are a valuable asset, can be revealed by defenders. After neutralizing the attack, botnet address data becomes available to other operators as part of the exchange of information, and the botnet is no longer suitable. If you quickly attack the victim with a powerful wave of requests, then the anti-DDoS service simply does not have time to fill the black list.

DDoS Technologies - Arsenal New


To carry out sprints with explosions of spurious traffic, you need a good technical base. And recently, attackers have pumped it well. We drew attention to the emergence of new powerful amplifiers, which began to be actively used in DDoS attacks.

Firstly, it is the UDP-based Apple Remote Desktop protocol (UDP port 3283), the amplification factor of which is 35.5: 1 (Netscout data). Apple Remote Desktop is a macOS workstation remote administration application. ARMS (Apple's Remote Management Service) accesses a UDP port that is always open on workstations running macOS when Remote Management mode is enabled, even if it conflicts with the security settings on the firewall. Today, over 16 thousand computers running macOS with an open UDP port are registered in the global network.

Also, cybercriminals actively use the WS-Discovery (Web Services Dynamic Discovery) device discovery protocol used in IoT solutions. Its amplification factor is 500: 1. Like Apple Remote Desktop, WS-Discovery transmits packets using the UDP-based protocol, which allows hackers to use packet spoofing (IP address spoofing). BinaryEdge counted about 630 thousand devices with this vulnerability on the Internet (data for September 2019). Take advantage - I do not want!

Do not forget about one of the main tools for DDoS - botnets from IoT devices. The most powerful smart attack recorded by us was in 2019: 178 Mpps hit one of the betting companies. Attackers used a botnet of 8 thousand real devices: home routers, cameras and other IoTs, as well as mobile phones. I wouldn’t like to scam up the pressure, but there is a clear feeling that 5G and IPv6 will bring us new “records”.

Most popular attack types


In general, the most popular method of DDoS attacks is still UDP flood - about 32% of the total volume of attacks. In the second and third places - SYN flood (27.4%) and attacks with fragmented packets (14.2%). Not far from the leaders are DNS amplification attacks (13.2%).

Attackers are also experimenting with the currently rarely used protocols - 16 (CHAOS) and 111 (IPX over IP). However, such attacks are more likely an exception: these protocols are not used by clients in real life and can be easily detected and dropped when attacks are suppressed.

Among the unusual attacks of last year, the so-called “carpet bombing” can be noted. They are characterized by busting targets in the victim's address space and searching for the most vulnerable of them. This complicates the detection and counteraction of such attacks in the per IP protection model, when only individual IP addresses are protected, and not the entire Internet infrastructure. The most massive of “carpet bombings” recorded by us included almost 3 thousand targets - each address of all networks of one client was tried.

Recently, attackers began to combine different types of attacks. An example of such a DDoS cocktail is SYN + ACK reflection. In this type of attack, third-party public resources are used, to which a SYN packet is sent with a fake victim address as the source. Third-party servers respond with a SYN + ACK packet to a victim whose TCP stack suffers from processing packets arriving outside of any session. We observed a situation in which both parties - both the victim and the third-party resources used to reflect - were our customers. For the former, it looked like SYN + ACK reflection, for the latter as SYN flood.

New and old victims


First two words about our methodology. Since this study is based on data on attacks against customers of the Rostelecom Anti-DDoS service, when determining the most attacked industries, we form two analytical slices:

  1. simple distribution of the total number of recorded attacks by industry,
  2. average increase in the number of attacks per industry client. This indicator eliminates the possible error associated with an increase in the number of customers from a particular industry (and, consequently, an increase in the number of recorded attacks).

So what have we seen.

By industry


As mentioned above, the number of DDoS attacks is growing. Even the closure of a number of significant stressors, and in fact, services for organizing DDoS (Quantum Stresser, ExoStress.in, QuezStresser.com, etc.), does not affect this dynamics. DDoS is still cheap and easy enough. The peak of attacks occurred in October 2019, when online stores were preparing for Black Friday. DDoS at that time became the same tradition as “discounts up to 90%”. At the same time, large market players are attacked using multi-vector targeted attacks - for sure.

The gaming industry remains the leader in DDoS: it accounted for 34% of the total number of attacks (against 64% in 2018). This does not mean that hackers have lost interest in gaming - the number of attacks on the segment has not decreased, but due to the appearance of new victims, the share of this industry has “eroded”.

Nevertheless, eSports as a whole remains a tidbit. Game protocols use UDP as a transport. This allows not only to replace the sender addresses, but also makes it difficult to track sessions. During the reporting period, we observed two main types of application-level DDoS attacks on game servers. The first achieves their inaccessibility by sending a large number of packages that, for a third-party protection service, look like legitimate ones. Protection against such attacks is based on profiling legitimate traffic and measures such as regexp and challenge-response.

The second type is associated with the exploitation of identified vulnerabilities in game protocols and platforms. In this case, proactive protection requires a different class of devices - Game application firewall. Large game hosting companies and manufacturers are trying to protect the servers by embedding various checks in their client programs and associate them with independently developed protection systems.

Telecommunications companies ranked second in popularity, their share in the total volume of attacks grew significantly: from 10% to 31%. As a rule, these are small regional ISPs, various hosting and data centers that do not have the resources to repel powerful attacks, so they become an easy victim for hackers.

In addition to telecom, attackers drew attention to educational institutions and the public sector. Previously, their share in the total volume of DDoS attacks was 1% and 2%, respectively, but over the year it increased to 5% for each of the segments. We attribute this to digitalization and the launch of our own Internet resources, on which the activities of such organizations are increasingly dependent, especially during the period of self-isolation.

In other sectors without significant changes:



Attacks per client


The average increase in the number of attacks per client has accelerated significantly. If in 2018 it was 21%, then according to the results of 2019 and the beginning of 2020, it reached 58%. The largest increase in the number of attacks per client was shown by educational institutions - 153%. These are electronic diaries, sites with assignments and quizzes - all that prevents students from enjoying life. It is possible that the initiators of such attacks are often mother’s hackers, the students themselves, which once again proves the simplicity of organizing DDoS on such insecure resources as school sites, for example.

The growth of attacks on one client:


What to do


The number of DDoS attacks will grow, new amplifiers, types of attacks and naturally new targets for attackers will appear. But, as Newton’s third law says,
there is opposition to every  action.

DDoS prevention methods are known - there would be a desire to finally address this issue. In order not to produce IoT botnets: timely eliminate vulnerabilities on all of your devices, control ports and do not use IPv6.

To properly configure protection in the conditions of rapidly changing attack vectors: use pre-prepared options to counter specific types of known attacks and regularly check your infrastructure.

In general, it can be seen that current problems in the field of DDoS are somehow interconnected. Therefore, it is necessary to protect applications and infrastructure, especially the business critical segment, comprehensively, at different stages of filtering.

More articles:


All Articles