DDoS Attacks Getting Bigger But Shorter in Duration
Hacktivist group Izz ad-Dim al-Qassam Cyber Fighters's strategy said to be driving up raw number of attacks and depressing their duration.
Wed, July 31, 2013
CSO — Distributed Denial of Service (DDoS) attacks are getting bigger, but their duration are getting shorter, according to an analysis released this week by Arbor Networks.
During the first six months of 2013, the average size of DDoS attacks remained solidly over the 2Gbps, Arbor reported -- something the company has never seen before.
Although the average may have been skewed during the period by the massive attack on Spamhaus in March, which reached 300Gbps at its zenith, large attacks in general have been going up too, Arbor found. From January to June this year, it said attacks exceeding 20Gbps more than doubled over 2012.
Several security experts agreed with Arbor's analysis. Michael Smith, CSIRT director for Akamai Technologies, cited two factors affecting DDoS numbers during the period. "It's just easier to do these days," he said in an interview. "You can rent a botnet for $20."
He added that a hacktivist group known as the Izz ad-Dim al-Qassam Cyber Fighters (QCF) has adopted a strategy that is also driving up the raw number of attacks and depressing their duration. "They attack multiple targets during the course of a day," Smith explained.
Not only do they attack multiple sites, but they don't prolong an attack if they don't see immediate results. "They'll move from target to target after 10 or 20 minutes until they find one they can cause an immediate impact on," Smith noted.
Attacks are becoming bigger because hackers have more resources to mount attacks than ever before, said Marc Gaffan, founder of Incapsula. "There's more ammunition for hackers in the wild which is why attacks have grown in size," he said.
New techniques have also contributed to the size of the attacks. For example, in the Spamhaus attack, hackers exploited openings in DNS servers to amplify the magnitude of their attacks on the website.
They do that by sending a request to a server with an open DNS resolver. In the request, they spoof the address of their target so when the server answers the request, it sends its answer to the target.
"When the resolver sends back the answer, which is larger than the question, it's amplifying the attacker's request," Gaffan said.
"Sometimes the answer can be as much as 50 times larger than the request," he continued. "So an attack can be 50 times the original firepower used for the request."
In addition to improving their techniques, hackers have also increased their efficiencies by shortening their attacks. They will hit a site long enough to bring it down, disappear into the ether, then return to take it down again just as it's recovering from the initial attack.
"When a website goes down, it takes time to bring it back up," Gaffan said. "There's no point continuing to fire at that target when it's down. You want to conserve your ammunition and fly under the radar, because the more you fire the greater the chances of someone identifying you as the source of the fire."
The technique also allows the attackers to get better mileage from their resources. "They could hit multiple targets with a single piece of infrastructure as opposed to hitting one target for an hour," Gaffan said.
Part of the reason attackers are sharpening their skills of deception is that defenders are getting better at blunting DDoS attacks. "The Internet as a whole is getting better at responding to these attacks," said Cisco Technical Leader for Threat Research, Craig Williams.
"We've seen DNS amplification shoot through the roof, but I suspect that's going to start dropping with the addition of RPZs that can mitigate queries and people getting better at closing down open resolvers," Williams told CSOonline.