Move over cybercrims, DDoS now protesters' weapon of choice

Ideological hacktivism has replaced cybercrime as the main motivatation behind DDoS attacks, according to a study by Arbor Networks.

Up until last year, DDoS attacks were typically financially driven – either for reasons of competition or outright extortion – but the activities of Anonymous and related groups have changed that. The plethora of readily available DDoS attack tools (such as LOIC, a sometime favourite of Anonymous) means that anyone can launch an attack and any business could potentially be targeted.

Arbor, which specialises in supplying DDoS mitigation and traffic management tools to telcos and ISPs, describes the rise of hacktivism as a "sea-change in the threat landscape".

"What we saw in 2011 was the democratisation of DDoS," said Roland Dobbins, Arbor Networks solutions architect for Asia-Pacific, and the primary author of the 2012 edition of Arbor's annual Worldwide Infrastructure Security Report. "Any enterprise operating online – which means just about any type and size of organisation – can become a target, because of who they are, what they sell, who they partner with or for any other real or perceived affiliations. Furthermore, the explosion of inexpensive and readily-accessible attack tools is enabling anyone to carry out DDoS attacks."

Network operators quizzed by Arbor as it compiled its study reported a significant increase in the prevalence of high-bandwidth DDoS attacks. Around 13 per cent reported attacks greater than 10 Gbps between October 2010 and November 2011, the period covered by the report. An even greater number (25 per cent) observed DDoS attacks that exceeded the total bandwidth into their data centre.

The single largest reported DDoS attack during the survey period hit 60 Gbps, down from 100 Gbps reported in 2010. However this drop in the absolute volume of the worst attack disguises what Arbor describes as the "increasing sophistication and complexity of application-layer and multi-vector DDoS attacks".

Around half of respondents reported application-layer attacks on their networks. More than 40 per cent of network operators quizzed by Arbor reported an inline firewall and/or IPS failing due to a DDoS attack.

For the first time, a respondent to Arbor's survey observed a native IPv6 DDoS attack on their network. Arbor describes this as a "significant milestone" while noting that although "IPv6 deployments continue to advance, IPv6 is not yet economically or culturally significant enough to warrant serious attention by the internet criminal underground".

Fifty per cent of respondents reported not seeing any attacks targeting their mobile infrastructure. Conversely, more than 30 per cent reported an average of 50 to 100 mobile DDoS attacks per month, suggesting some mobile operators lack the tools that would allow them to monitor problems on their networks.

Arbor's findings were based on a survey of 114 of its service provider customers throughout the world.

Cyber machine guns flood networks

Another DDoS trend study from Prolexic Technologies, also published on Tuesday, reports that denial-of-service attack sophistication has increased even while assault durations have decreased.

Average attack duration was down to 34 hours in Q4 2011 from 43 hours in Q4 2010 but packet-per-second volume increased 18-fold. Prolexic mitigated 45 per cent more attacks in Q4 2011 compared to Q4 2010.

"Based on fourth quarter statistics, Prolexic predicts that 2012 will feature DDoS attacks that will be shorter in duration, but much more devastating in terms of packet-per-second volume," said Paul Sop, chief technology officer at Prolexic. "Think of it this way. In the past, attackers had a rifle. In 2012, they have a machine gun with a laser sight."

During Q411, approximately 22 per cent of attacks faced down by the firm were ICMP floods, 20 per cent were UDP Floods, 20 per cent were SYN Floods and 16 per cent were GET Floods. Prolexic clients in the e-Commerce sector "received a disproportionately high percentage of Layer 7 (application layer) attacks and much longer average attack durations," the firm adds.

Prolexic's report can be downloaded here (PDF, registration required).

A separate study from Akamai out last week reported an increase in attack traffic from Asia during the third quarter of 2011. Taiwan and China held the second and third place spots, respectively, accounting for just under 20 per cent of observed attack traffic combined. Asia Pacific as a whole generated nearly half (49 per cent) of online attacks observed across the Akamai platform during Q3 2011.

Attack traffic originating in Europe was down slightly to 28 per cent; with the Americas accounting for nearly 19 per cent over the same time-frame, Akamai reports. ®