SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
DDoS attacks on the rise, becoming more sophisticated
Tue, 9th Nov 2021
FYI, this story is more than a year old

The total number of Distributed Denial of Service attacks increased by nearly 24% this quarter and the number of smart attacks increased by 31% when compared to Q3 2020, according to new figures from Kaspersky.

In August, Kaspersky noted a record number of DDoS attacks in a single day: 8,825.

The goal of a DDoS attack is to cut off users from a server or network by overwhelming it with requests, in turn preventing the website from functioning properly. This can cause huge disruptions for organisations and such attacks can last for several minutes or even a few days.

So-called smart DDoS attacks go one step further. They are more sophisticated and often targeted, and they can be used not just to disrupt services but also to make certain resources inaccessible or steal money. Both types of attacks were on the rise in Q3 2021.

According to Kaspersky, most attacks occurred on Wednesdays last quarter (19.2%) with the least active day being Monday (11.5%).

Meanwhile, some 339 hours was the maximum duration of a DDoS attack in Q3 and the average duration reduced to 2.84 hours. This may be due to the decreasing number of attacks lasting 50 hours or more and a rise in relatively short attacks. For instance, while the share of very short attacks (86.5%) dropped from the previous quarter, their number almost doubled: 63,700 versus 33,000 in Q2.

The US remains the top targeted country with 40.8% of DDoS attacks directed at US-based resources. Hong Kong was in second position (15.07%) and China in third (7.74%).

New powerful botnet

Some of the most notable large-scale DDoS attacks in Q3 involved a new powerful botnet called Mris, capable of sending out a massive number of requests per second.

Some of the large-scale DDoS attacks that swept across New Zealand in Q3 were the work of the Mris botnet, according to Yandex and Qrator Labs. Specifically, the researchers attribute the attack on a Vocus customer to the work of the new zombie network, which led to a short-term disruption of service nationwide. To stop the attack, the company updated a rule on its DDoS mitigation platform and it was this rule change that reportedly caused the outage.

This Mris botnet was also seen in attacks against two of the most well-known cybersecurity publications Krebs on Security and InfoSecurity Magazine.

Other notable DDoS trends in Q3 included a series of politically-motivated attacks in Europe and Asia, as well as attacks against game developers. In addition, attackers targeted resources to combat the pandemic across several countries, and there was a series of ransomware attacks against telecommunications providers in Canada, USA and the UK. The attackers presented themselves as members of the infamous ransomware group REvil and shut down the companies servers to pressure them into paying the ransom.

"Over the past couple of years, we have seen the cryptomining and DDoS attack groups competing for resources, since many of the same botnets used for DDoS attacks can be used for cryptomining," says Alexander Gutnikov, security expert at Kaspersky.

"While we were previously seeing a decline in DDoS attacks as cryptocurrency gained in value, were now witnessing a redistribution of resource," he says.

"DDoS resources are in demand and attacks are profitable. We expect to see the number of DDoS attacks continue to increase in Q4, especially since, historically, DDoS attacks have been particularly high at the end of the year."

To stay protected against DDoS attacks, Kaspersky experts offer businesses the following recommendations:

  • Maintain web resource operations by assigning specialists who understand how to respond to DDoS attacks.
  • Validate third-party agreements and contact information, including those made with internet service providers. This helps teams quickly access agreements in case of an attack.
  • It's important to know your traffic. Its a good option to use network and application monitoring tools to identify traffic trends and tendencies. By understanding your company's typical traffic patterns and characteristics, you can establish a baseline to more easily identify unusual activity that is symptomatic of a DDoS attack.
  • Have a restrictive Plan B defensive posture ready to go. Be in a position to rapidly restore business-critical services in the face of a DDoS attack.