The National Counterintelligence and Security Center and the National Insider Threat Task Force have deemed September to be “National Insider Threat Awareness Month”. Apparently, DDoS attackers have not gotten the message.
The month of September is not yet half over, and we have already seen DDoS attacks take down a popular gaming service and one of the world’s most visited websites. Botmasters have faced justice in the courts, and protesters in Hong Kong have seen their online forums targeted by DDoS attacks. All of this in just one week. This really demonstrates why DDoS has been such a persistent threat for so long. The targets, motivation, tools, and techniques are almost limitless.
Let’s review the week that was in DDoS attacks:
- On September 2, Bloomberg reported that, “An online service used by Hong Kong demonstrators said a large digital attack that knocked out its servers briefly over the weekend was unprecedented and originated in some cases from websites in China. The group posted a statement detailing the DDoS attack, stating that “a flood of traffic that disables a site by overwhelming its computers. Total requests to the site hit 1.5 billion and unique visitors surged to 6.5 million per hour, the group said.”
For two decades, NETSCOUT has tracked how DDoS attacks have been used a form of online protest. “Hacktivism” has been enabled by the development of free online tools that enable anyone with a grievance or issue to easily launch an attack. Beyond do-it-yourself tools, we’ve also tracked the emergence of booter/stresser services that actually sell DDoS attack services, as any SAAS provider would. They offer different levels of capabilities and support, sophistication, and size. In some cases, you can even try before you buy. This combination of do-it-yourself tools and cheap for-hire attack services have driven the explosion in DDoS attack frequency.
NETSCOUT’s 14th annual Worldwide Infrastructure Security Report (WISR) once again found that political motivations were a driving force behind DDoS attacks:
“In 2018, 60 percent of service providers witnessed attacks traversing their networks that were targeting governments, up from 37 percent last year. As political instability increases around the world, expect DDoS to continue to be used as a form of protest.”
- On September 5, a 21-year old hacker went before a judge to confess his role in creating and operating the highly effective Satori botnet. According to a report in The Register, the attacker, “turned thousands of hacked devices into a 100 Gbps+ DDoS-for-hire cannon”.
Satori is a DDoS botnet that NETSCOUT has studied extensively for years. In fact, in January 2018, our ASERT team not only looked at the history of IoT botnets, but also took a detailed look at the evolution of Satori. As the team noted,
“Each new version offers a fresh combination of targeted platforms, propagation techniques, and attack types. Contrasted with traditional software, in which features are added incrementally, Satori seems to go both forward and backward. Digging into the history will provide insight into this continually evolving threat.”
- On September 6, Wikipedia—the second most visited website in the world, with 1.22 billion monthly visitors—suffered a DDoS attack that led to the service being offline for some users for up to nine hours over the course of two days. It has been reported that like Satori, an IoT botnet was behind the attack.
- On September 7, the incredibly popular World of Warcraft Classic was taken offline by a DDoS attack. Gaming platforms like Xbox and PlayStation are frequent targets of DDoS attacks, and attacks by and between players are quite common as well. What makes this attack noteworthy is that the group responsible apparently gave warning and bragged about it throughout as a form of advertisement—in other words, it was a DDoS-for-hire service hawking its wares.
Again, back to the WISR:
“These days, DDoS attacks are often powered by professionally managed DDoS-for-hire services known as booters or stressers, which is reflected in the attack motivation findings. For example, the top motivation cited for attacks in 2018 was criminals showcasing their capabilities to potential customers.”
This was quite the week. The DDoS threat landscape is relentless, and there are no days off. Just how relentless can be visualized at NETSCOUT’s Cyber Threat Horizon, a new public service from our threat intelligence team. Our objective is to enhance situational awareness for key stakeholders — those who care about how DDoS attack activity impacts organizations worldwide.
NETSCOUT is committed to helping organizations see beyond their borders, to understand the threat landscape at scale. What is really happening with DDoS attacks globally? What are the latest DDoS attack trends and targets that are emerging, and how could they impact your organization?
As we’ve seen this week. DDoS attacks continue apace, are often successful and can be entirely unpredictable. When will it be your turn, and will you be ready?
To learn more about the DDoS threat landscape, download the 14th annual Worldwide Infrastructure Security Report
Bjarnason is a network security research system engineer at NETSCOUT.