DDoS Attacks in Q3 2019
This past quarter we observed a new DDoS attack that confirmed our earlier hypothesis regarding attacks through the Memcached protocol. As we surmised, the attackers attempted to use another, rather exotic protocol to amplify DDoS attacks. Experts at Akamai Technologies recently registered an attack on one of their clients that was carried out by spoofing the return IP address through the WS-Discovery multicast protocol. According to other security researchers, cybercriminals started using this method only recently, but have already achieved an attack capacity of up to 350 Gbps. The WSD protocol has limited scope and is not generally intended for connecting machines to the Internet; rather devices use it to automatically discover each other on LANs. However, it is fairly common for WSD to be used not entirely for its intended purpose in a variety of equipment — from IP cameras to network printers (about 630,000 such devices are currently hooked up to the Internet). Given the recent rise in the number of WSD-based attacks, owners of such devices are advised to block on the server UDP port 3702, which is used by this protocol, and to take a number of additional steps to protect their routers.
Another new tool in the hands of DDoSers was detected by our colleagues at Trend Micro in the shape of a new payload distributed through a backdoor in the data search and analytics tool Elasticsearch. The malware is dangerous because it employs a multi-stage approach to infection, successfully avoids detection, and can be used to create botnets for launching large-scale DDoS attacks. Trend Micro recommends all Elasticsearch users to upgrade to the latest version, since the backdoor has already been patched.
That said, cybercriminals are far more likely to turn to proven techniques than to try out new ones. For instance, when last year the FBI took down a number of inexpensive DDoS-for-hire sites, new ones immediately sprang up in their place, and today the threat is more acute than ever. According to some reports, the number of attacks carried out with their assistance increased by 400% against the previous quarter.
It is highly likely that the attack on World of Warcraft Classic, launched in early September in several waves was organized through such a service. Before each episode, a certain Twitter user warned of the impending attack. Blizzard later announced the arrest of the mastermind, although whether it was the owner of the corresponding Twitter account remains unclear. But if so, it is hard to escape the conclusion that, far from being a member of a spin-off hacker group, it was a client of a DDoS-for-hire service.
Using another tried-and-tested method (a botnet similar to Mirai — or one of its clones), a 13-day application-level attack was unleashed in July against a streaming service with a capacity of up to 292,000 requests per second. The attack involved about 400,000 devices, mainly home routers.
But whereas the motives behind these two attacks can only be guessed at, two other attacks that took place this summer and fall were almost certainly politically driven. Thus, August 31 saw the targeting of LIHKG Forum, one of the main websites used by protesters in Hong Kong to coordinate their actions. According to the site owners, it was hit by 1.5 billion requests in 16 hours, taking it temporarily offline and causing the mobile app to malfunction.
Soon after that, an attack was conducted on Wikipedia. It began on the evening of September 6 and made the world’s largest online encyclopedia temporarily unavailable to users in various countries of Europe, Africa, and the Middle East. Wikipedia gets hit quite often, but this attack was exceptional in terms of capacity (exact figures are not available, but unofficial sources say more than 1 Tbps) and duration (three days).
The attack organizers remain at large, but several other investigations over the past quarter did reach their logical conclusion. For instance, in early July a US federal court sentenced a certain Austin Thompson of Utah to 27 months in prison and a fine of $95,000 for an attack on Daybreak Game Company (formerly Sony Online Entertainment). And on September 6 another cybercriminal, Kenneth Currin Schuchman of Washington State, admitted his involvement in setting up the Satori IoT botnet.
On the topic of law enforcement efforts, mention must be made of one other piece of news that highlights the importance of prevention in the fight against DDoS attacks. For several quarters now, the section on global botnet activity in our report has featured countries that just a couple of years ago were unlikely contenders to make the ratings. Moreover, the shares of other countries previously beloved of cybercriminals have been falling. This trend was also noted by TechNode, backed up by data from Nexusguard and the World Bank. Our colleagues pinpoint two factors to explain the situation. First, countries once collectively referred to as the Third World have seen rising living standards. More and more residents there are acquiring smartphones and broadband routers — that is, devices that most botnets are made from. Second, in regions where cybercriminals have been plying their trade for a long time, cybersecurity awareness is on the up, and more effective measures are being taken to protect devices, including at the provider level, which means that attackers are having to search for pastures new. This is what is changing the face of our lists of regions by number of cyberattacks.
This post DDoS Attacks in Q3 2019 originally appeared on Securelist.
