Distributed denial-of-service (DDoS) campaigns just keep getting Iarger and more prolific as web compute power grows. In the past year, there has been a 22% increase in total DDoS attacks, and a whopping 72% increase in average attack bandwidth. And, there’s been an even more whopping 241% increase in average peak bandwidth.
Akamai’s Prolexic Q2 2014 Global DDoS Attack Report found that reflection and amplification attacks were more popular in the second quarter of 2014 as compared to the same period in 2013, representing more than 15% of all infrastructure attacks. These attacks take advantage of the functionality of common internet protocols and misconfigured servers. While the use of NTP reflection attacks was down significantly in the second quarter of 2014, likely due to community cleanup work, SNMP reflector attacks surged during the quarter, filling the void.
“DDoS attacks have continued in high numbers and with high average and peak bandwidths. They can take out an entire data center by overwhelming network bandwidth,” said Stuart Scholly, senior vice president and general manager of security at Akamai Technologies, in a statement. “Behind these powerful attacks are changing tactics to build, deploy and conceal powerful botnets. Server-side botnets are preying on web vulnerabilities and reflection and amplification tactics are allowing attackers to do more with less.”
In terms of other emerging trends, attacks involving server-side botnets are on the rise. Generally, they have only been observed by Akamai in the most sophisticated and carefully orchestrated DDoS campaigns, and their high-volume infrastructure attacks have had signatures that appear to be specially crafted to avoid detection by DDoS mitigation technology.
When building server-side botnets, attackers have been targeting platform-as-a-service (PaaS) and software-as-a-service (SaaS) vendors with server instances running software with known vulnerabilities, such as versions of the Linux, Apache, MySQL, PHP (LAMP) stack and Microsoft Windows server operating systems. They have also targeted vulnerable versions of common web content management systems (CMS), such as WordPress and Joomla or their plugins. Because of the effectiveness of these attacks, and the widespread availability of vulnerable cloud-based software, Akamai said that they are likely to continue and may be monetized in the underground DDoS marketplace.
“They potentially pose a significant danger to businesses, governments and other organizations,” Akamai said.
Meanwhile, the itsoknoproblembro (Brobot) botnet, also based on server infection, has remained a threat. Attacks in the second quarter of 2014 provided indications that the botnet is still in place from its earlier use in the Operation Ababil attacks against financial institutions in 2011–2013, the firm said. Once thought to have been cleaned up, it appears the botnet has been surreptitiously maintained.