Nothing infuriates Internet users more than slow loading, buffering and other evidence of a sluggish network. On the forefront of making certain that the “data must flow” is Akamai Technologies, Inc., a powerful Content Delivery Network (CDN) and cloud provider. As a content provider, Akamai is on the forefront of protecting its clients (who have data to deliver) from Distributed Denial of Service (DDoS) attacks.

To get a better understanding of what the industry can expect from DDoS attacks in 2016, SiliconANGLE reached out to David Fernandez, Akamai Security Intelligence Response Team (SIRT) manager.

Vulnerable devices will continue to be the ‘artillery’ of DDoS

Fernandez says that from 2014 to 2015, the larger DDoS attacks have been built off “victim” network devices with vulnerable network services that could be used to launch or amplify attacks. And, he added, the number of vulnerable services has grown in 2015.

“In our case, we identified three new reflection methods in Q3 2015 alone,” he says. “In Q3 2015, 33 percent of all DDoS attacks mitigated were reflection-based within our routed platform alone. One year ago, that number was only 6 percent. We believe this methodology will continue into the New Year.”

A major form of cyber-artillery used by DDoS attackers is the botnet: a large group of vulnerable computers or devices under the control of an attacker that begin the distributed attack. In 2014, the rise of the Internet of Things (IoT) began to put more and more potential vulnerable devices onto the Internet that could be exploited and tuned into zombies.

Many well-known botnets are used for DDoS attacks, such as the Linux Trojan XOR botnet capable of DDoS attacks in the range of 150 Gbps and the botnet used by Lizard Squad’s DDoS-for-hire Lizard Stresser attack website.

As to if attackers are getting more sophisticated or pushing into territories of larger DDoS attacks, Fernandez believes that it’s a combination of both, but that DDoS-for-hire (mentioned above) is changing the landscape.

“Actors are spending more time examining vulnerable frameworks to leverage and capitalizing on the monetized DDoS-for-hire platform,” he says, “which has unfortunately allowed malicious actors to launch DDoS attacks inexpensively and with greater frequency.”

During an interview with Sky News, Lizard Squad member Julius Kivimäki (aka Zeekill) spoke to the Xbox Live shutdown on Christmas Day. Screenshot via Sky News | YouTube

Gaming networks will continue to be the most targeted industry vertical in 2016

Online gaming provides an extremely visible target for DDoS attackers, especially because disruption to these networks affects a large number of social media savvy (and therefore vocal) customers. In 2015, gaming networks received numerous DDoS attacks from various entities seeking to claim credit for the misery and dismay of gamers. The best example of this is still the 2014 Christmas Day siege of Xbox Live and PSN by Lizard Squad that knocked console gaming networks offline for the entire day.

“Online gaming accounted for 50 percent of DDoS attacks within our most visible mitigation platform,” explains Fernandez. “Financials are also being targeted and accounted for almost 8 percent. In 2016, this trend might continue to increase. The other industry in which we are monitoring DDoS closely is education.”

Fernandez suggests that any service offered on the Internet should set aside resources to prepare for the eventuality of DDoS. However, preparation is not as easy as just signing up with an anti-DDoS provider or CDN, as often the needs of any given company are specific to the service being provided.

An online gaming outfit would need some sort of DDoS-mitigation that allows the service to provide low-latency gaming experience from semi-centralized servers, whereas an educational provider might be better off with highly distributed cloud-based content (much harder to DDoS) across the globe.

The rise of extortionists is a continuing trend out of 2015

As part of protecting its customers from DDoS attacks, Akamai researches the activity and motivations of groups that engage in these sort of attacks. One example put in the spotlight by Fernandez is a DDoS extortion group known as DD4BC, which demanded payments in Bitcoin to cease DDoS attacks.

“Akamai SIRT had been tracking [DD4BC’s] activity since October of 2014,” says Fernandez. “Though their activity has declined since August of 2015, that strategy has created a realm for ‘copycat’ groups to implement a similar strategy. One of which is a group calling themselves ‘Armada Collective.’”

Extortion via DDoS has become much cheaper with the availability of “Booter” sites such as the Lizard Stesser, which provides brief or long bursts of DDoS attack against given IP addresses for money.

Last year is thick with examples of DDoS extortionists demanding payment, such as ProtonMail (Proton Technologies AG), a secure encrypted mail provider that who actually paid a ransom but were attacked anyway. And, right before New Year’s Day, the China-based Bitcoin exchange service BTCC was hit with DDoS attacks and extortion, which the company ignored entirely. In both of these cases, Bitcoin was demanded as ransom.

2016 will remain stormy on the DDoS front — greater security and proactive measures will be needed to keep up with trends. Photo by Natfot via Pixabay

What will 2016 bring to DDoS?

From what Fernandez told SiliconANGLE, and an entire year of watching DDoS, the trends have been showing that DDoS attackers have been expanding their networks and constantly looking for more ways to exploit vulnerable systems. This has led to DDoS becoming more and more inexpensive, and DDoS mitigation needs to follow suit or more websites will see downtime from malicious actors.

Fernandez believes that 2016 will see a continuation of DDoS attacks as the preferred cyberattack for extortion and diversion. He also believes that 2016 will continue to see the trend of new amplification and reflection to increase the power behind attacks as hackers uncover more vulnerable devices and services.

“Now is the time for vendors to test and provide fixes to possible vulnerabilities in order to mitigate these risks,” he adds as a must-have for 2016.

He also feels that the increased visibility of booter sites, such as Lizard Stresser, has provided an increased ease-of-use for launching DDoS attacks in 2015. He believes that this may lead to further frameworks and other DDoS-for-hire websites appearing in 2016.

Finally, he says that cloud providers have become camouflage and shields for DDoS attackers. It is possible to purchase a few instances from Amazon, Inc.’s EC2 cloud or from the Google Cloud Platform and others to act as the command and control for a botnet. Doing this helps proxy the malicious attacker from investigation. Of course, an attacker could also exploit pre-existing cloud instances to become command and control (similarly to how botnets are formed) as well.

Fernandez says that increased security procedures are imperative to reduce the anonymity and ease of capture of systems such as these.

Featured image credit: gholzer via photopin cc