Botnets act as a force multiplier for individual attackers, cyber-criminal groups and nation-states looking to disrupt or break into their targets’ systems. By definition, they are a collection of any type of internet-connected device that an attacker has compromised. Commonly used in distributed denial of service (DDoS) attacks, botnets can also send large volumes of spam, steal credentials at scale, or spy on people and organizations.
Malicious actors build botnets by infecting connected devices with malware and then managing them using a command and control server. Once an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.
Read more about botnets and why they are a persistent threat, on CSO.
DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors.
While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks per day. While the number of attacks decreased overall, both the scale and complexity of the attacks increased.
A malware author has built a huge botnet comprised of over 18,000 routers in the span of only one day. This new botnet has been spotted by security researchers from NewSky Security, and their findings have been confirmed by Qihoo 360 Netlab, Rapid7, and Greynoise.
The botnet has been built by exploiting a vulnerability in Huawei HG532 routers, tracked as CVE-2017-17215. Scans for this vulnerability, which can be exploited via port 37215, started on July 18, according to data collected by Netlab’s NetScan system.
Read more about how one threat actor was able to build a huge DDoS botnet in less than a day, which shows the real sad state of SOHO router security, on BleepingComputer.
DDoS attacks don’t arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.
Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.
Read more about the findings of the two reports on DDoS trends on DarkReading.
Cyber defenders need to stay on their toes, as DDoS attacks are still on the rise. According to Akamai Technologies’ Summer 2018 State of the Internet/Security: Web Attack report, the number of recorded DDoS attacks increased 16 percent since last year, and attackers are devising new and advanced DDoS methods.
Since last year, there has been a 4 percent increase in reflection-based DDoS attacks, a 38 percent increase in application-layer attacks like SQL injection or cross-site scripting and 1.35 terabyte per second memcached reflector attack – the largest DDoS attack to hit the internet yet.
Read more about the disconcerting findings of the new report by Akamai Technologies on CSO.
Record-breaking distributed denial-of-service (DDoS) attacks are on a tear this year, and new data shows that DNS amplification attacks have jumped 700% worldwide since 2016.
In the first quarter of 2018, some 55 DNS amplification attacks employed Memcached servers, according to Nexusguard’s first quarter data. Memcached servers this year became the new darling of botnet operators looking for a way to jack up their DDoS attacks. Memcached is an open source software program used to increase server performance; it caches data in system memory, and was designed for internal networks.
Read more about the disconcerting findings of the latest DDoS report by Nexusguard on DarkReading.
A newly-uncovered form of DDoS attack takes advantage of a well-known, yet still exploitable, security vulnerability in the Universal Plug and Play (UPnP) networking protocol to allow attackers to bypass common methods for detecting their actions. Attacks are launched from irregular source ports, making it difficult to determine their origin and blacklist the ports in order to protect against future incidents.
OpenFlow, a protocol used widely in software-defined networking (SDN), suffers from a serious security bug: Important authentication and authorization steps are missing from its handshake process. OpenFlow is maintained by the Open Networking Foundation(ONF) and came about in 2011. It is designed to be a vendor-neutral protocol for managing packet movement between switches and building software-defined networks.
Securing connections and verifying that switches on a network are supposed to be there is an important part of network protocol, and it’s one that OpenFlow appears to have overlooked.
Read more about the vulnerability that stems from the inherent trust network controllers give to OpenFlow switches and which could be exploited to perform denial-of-service or covert communication attacks on TechRepublic.
The distributed denial-of-service (DDoS) which knocked KrebsOnSecurity offline for days cost owners of devices unwittingly involved in the attack upwards of $300,000, researchers suggest. The DDoS attack took place in 2016 and was made possible through the Mirai botnet, a network of enslaved Internet of Things (IoT) devices including routers, surveillance cameras, and smart home systems.
Non-existent or poor security practices, including the use of hardcoded and factory passwords, allowed the operators of the botnet to scour the web for the means to hook up and enslave these devices, providing the bandwidth necessary to launch an attack able to smash the KrebsOnSecurity domain and prevent legitimate traffic from getting through.
Read more about the research on the DDoS attack against KrebsOnSecurity on ZDNet.
Almost every organization has been affected by a distributed denial-of-service (DDoS) attack in some way: whether they were hit directly in a traffic-flooding attack, or if they suffered the fallout from one of their partners or suppliers getting victimized. A powerful flooding attack can not only take down a company’s network, but also its business.
The April takedown by the UK National Crime Agency and Dutch National Police and other officials of the world’s largest online market for selling and launching DDoS attacks, Webstresser, was a big win for law enforcement. Webstresser boasted more than 136,000 registered users and supported some four million DDoS attacks worldwide. But in the end, Webstresser’s demise isn’t likely to make much of a dent in DDoS attack activity, experts say.
Read why distributed denial-of-service attacks are actually getting bigger, badder, and ‘blended,’ and what you can (and can’t) do about that on DarkReading.