UPDATED 14:12 EST / NOVEMBER 18 2014

Black Lotus Report: DDoS volume decreasing but attackers becoming more sophisticated

ddos-attackA new report from Black Lotus, a leader in availability security and provider of Distributed Denial of Service (DDoS) protection, shows that attackers are using less bandwidth to cause trouble but are getting smarter about how their attacks work.

Distributed Denial of Service attacks have become as common as bad weather for running an Internet-based company. The prevalence of these attacks has become so common that the gaming community almost never sees a launch without one raining on the parade. A single DDoS attack can cripple a service for hours or days based on the whim of an attacker and the attacks are most often directed at consumer-facing interests that will suffer particularly from customer connectivity issues.

These attacks have been used for general mischief by groups such as The Lizard Squad, DerpTrolling, and LulzSec. And also have been used as a form of extortion, threatening to cost a customer-based Internet service a great deal of money if they don’t pay up sooner to make the attack stop.

According to the Black Lotus Q3 2014 Threat Report, hackers are getting smarter not harder. This is better for smaller networks that lack the heavy-duty networking equipment to mitigate massive network floods.

The nature of DDoS attacks in 2014

While it looks like the overall size of attacks during 2014 has fallen—but the number of targets is still quite impressive, see below—and the attackers have also become more sophisticated. Black Lotus opines this is primarily due to widespread anti-DDoS education helping remove the most commonly used amplification methods.

“DDoS attacks continue to fall in size and frequency in 2014,” said Shawn Marck, co-founder and chief security officer of Black Lotus, “making them easier to handle for tier one carrier networks with excess capacity, but still tricky to manage for organizations with less bandwidth,”

The largest DDoS attack observed during the Q3 period was 15.2 Gps on September 3, a marked decline from previous peaks. Previously, the DDoS attackers used a technique known as NTP amplification, where a packet is sent to a Network Time Protocol (NTP) service, which responds with a larger packet; that response is sent to the victim because the attacker has forged the source the NTP server should respond to. This would amplify attacks significantly, especially if the attacker could hit multiple vulnerable NTP services at once.

Black Lotus mitigated 940,789 DDoS attacks in 2014 and 201,721 of them occurred in Q3, the period of the report. The biggest attack occurred on August 23.

China tops the list of countries that attacks originate within, with the United States coming in close second, followed by Russia, Germany, and Vietnam.

Black Lotus warns that while NTP reflection attacks (and therefore massive bandwidth attacks) have reduced attackers have switched gears to more sophisticated methods. The result is that recent attacks are less dangerous to Internet infrastructure providers, due to their weaker volume, but attacks instead take advantage of the capabilities of end targets by overwhelming connections or application-layer needs.

The above is exactly what would take down an online game, such as those listed below, or any other customer-facing service. Since these services must remain open for users to get into their game, see their notes, read their e-mail, etc. it’s difficult to filter between massive amounts of fake traffic and the legitimate customer traffic.

The report notes that while NTP attacks have lessened, SYN floods and application-layer attacks are on the rise. These two techniques are also now often launched in tandem.

ddos-nukeWho got hit in 2014?

Most recently, and highly publicized in the gaming community, Blizzard Entertainment’s launch of the Warlords of Draenor expansion to World of Warcraft saw a DDoS attack storm the Dark Portal and make it difficult for customers to join the game. This attack is particularly interesting because the service that runs Blizzard’s massive game is no stranger to DDoS attacks and any Internet storm that can cause it to falter must be equally impressive.

Gaming outfits are a common target of DDoS attacks because they’re highly visible and easily disrupted. Large launches in particular are especially vulnerable targets because the DDoS attack is often engaged during a time that the service is already seeing a great deal of legitimate capacity.

In September, Destiny, a science fiction shooter from Bungie, Inc., and Call of Duty: Ghosts, most recent installation of a very popular series, both suffered massive DDoS attacks knocking the games offline over a weekend. The attacks were credited to a hacker group known from Twitter calling themselves The Lizard Squad who managed to knock servers for both games offline on both PlayStation Network (PSN) and Xbox LIVE.

The Lizard Squad is just another incarnation of an Internet hacker group taking advantage of DDoS to garner attention, which includes such infamous groups as LulzSec, who DDoSed numerous gaming servers as well as the CIA, NHS, and Sony in 2011.

In August, the PlayStation Network itself was taken offline by a powerful DDoS attack for a few hours. The popular science fiction game EVE Online also staggered under an attack that took it offline for more than 12 hours.

The Bitcoin community has been no stranger to DDoS attacks in 2014 as well, with the Silk Road 2.0 site being struck in September. The online forum Bitcointalk.org, common watering hole, went offline in November due to a DDoS attack. Bitcoin exchange, BTC-e reported a DDoS attack against their trading server in April.

Even seemingly inoffensive services get hit with DDoS attacks, such as popular note-keeping service EverNote did in June (this was part of an extortion attempt.) And Ancestry.com come came under fire the same month.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU