New technologies mean new attack methods for cybercriminals, which might explain the 13-percent decline in the overall number of DDoS (distributed denial of service) attacks compared from the past year, as Kaspersky Lab DDoS Q4 Report found out.
In spite of the findings, the cybersecurity firm revealed that the duration of mixed and HTTP flood attacks is growing, which suggests that malefactors are turning to more sophisticated DDoS attack techniques.
DDoS-as-hire is considered a much cheaper attack compared to other cyberweapon methods but still, no company is safe and cybercriminals can target organizations of any size or relevance. Any attack that cripples consumer services poses a big loss not only in revenue but also in trust for any company.
The cybersecurity firm said that while there is a significant decline in DDoS attacks, it does not follow that the attack is less fatal. According to Kaspersky Lab researchers, “as more and more organizations adopt solutions to protect themselves from simple types of DDoS attacks, 2019 will likely see attackers improve their expertise to overcome standard DDoS protection measures and bring overall complexity of this type of threat to the next level.”
Attack duration
The overall numbers may have dropped but the researchers found out that the average attack duration “is growing” with the average length of attacks “more than doubled” — from 95 minutes in the first quarter to 218 minutes in the fourth quarter.
“It is notable that User Datagram Protocol (UDP) or ping flood attacks (when the attacker sends a large number of UDP packets to the target’s server ports in order to overwhelm it and make it unresponsive for clients), which accounts for almost half (49 percent) of the DDoS attacks in 2018, were very short and rarely lasted more than five minutes,” according to Kaspersky’s media release.
Kaspersky Lab experts assume that the decline in the duration of UDP flood attacks illustrates that the market for easier to organize attacks is shrinking. Protection from DDoS attacks of this type is becoming widely implemented, making them ineffective in most cases. The researchers propose that attackers launched numerous UDP flood attacks to test whether a targeted resource is not protected. If it immediately becomes clear that attempts are not successful, malefactors stop the attack.
At the same time, more complex attacks (such as HTTP misuse) which require time and money, will remain long. As the report revealed, HTTP flood method and mixed attacks with HTTP component, which shares were relatively small (17% and 14%), constitute about 80% of DDoS attack time of the whole year.
“When most simple DDoS attacks do not achieve their aim, those people earning money by launching such attacks have two options. They can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining. Alternatively, malefactors who orchestrate DDoS attacks have to improve their technical skills, as their customers will look for more experienced attackers. Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected,” said Alexey Kiselev, Business Development Manager of Kaspersky Lab DDoS Protection team.
14 days
It is important to note, according to Kaspersky, that the longest DDoS attack that happened in the fourth quarter lasted for 329 hours of 14 days. The last time this happened was in 2015.
Kaspersky noted that the top three counties which had the most conducted DDoS attack remain the same. China is again in the first place but its share dropped significantly from 77.67 percent to 50.43 percent. The United States remains in second place and third place is still occupied by Australia.
By target distribution, China still tops the list, but its share also declined to 43.26 percent (70.58 percent in the third quarter).
In the fourth quarter, there have also been changes in the countries hosting the most C&C servers. As in the previous quarter, the US remained the leader, but the United Kingdom and the Netherlands came second and third, replacing Russia and Greece respectively. “This is likely because of the number of active C&C Mirai servers increasing significantly in the aforementioned countries,” Kaspersky said.
Kaspersky Lab recommends the following steps to protect an organization from DDOS attacks:
- Train personnel to respond to such incidents in a proper way;
- Ensure that a company’s websites and web applications can handle high traffic;
- Use professional solutions to protect against attacks. For example, Kaspersky DDoS Protection combines Kaspersky Lab’s extensive expertise in combating cyberthreats and the company’s unique in-house developments. The solution protects against all types of DDoS attacks regardless of their complexity, strength or duration.
Image by Gerald Altman/Pixabay