DDoS Attack Report 2017

DDoS Attack Report


Q1 2017

The DDoS Attack Report — sponsored by Nexusguard — provides DDoS attack trends, statistics, best practices, and resources for chief information security officers (CISOs) and IT security teams.


DDoS attacks are the most dangerous cyber threat to every organization in the world

High throughput DDoS attacks take down major websites. IoT botnet attacks on the rise, may force IT infrastructures to the cloud. Blizzard of DDoS attacks to continue through 2020.

bradcaseyheadshotBrad Casey

Menlo Park, Calif. – Jan. 4, 2017

Dateline, DDoS episodes…

On Sept. 20, 2016, at around 8pm EST, the much heralded security expert blog authored by Brian Krebs was effectively taken offline by one of the largest DDoS attacks ever launched — and was in serious danger of being kept offline until Google intervened to save the day.

A month later, on the morning of Oct. 21, 2016, several major websites with portions of their DNS infrastructure hosted along the East Coast of the United States suffered outages. The sites included Wired, The New York Times, Reddit, and Spotify.

Finally, on Dec. 21, 2016, at around 11am PST, a massive Distributed Denial of Service (DDoS) attack was discovered, but thankfully mitigated before any damage could be done.

The October site outages involved the targeting of the Dyn company (now a part of Oracle) – an organization that controls many of the Domain Name Servers that service American domains. This widely successful attack utilized the now infamous Mirai – a nasty piece of malware that powers an extensive botnet largely populated by Internet of Things (IoT) devices — such as closed circuit TV (CCTV) cameras and other such devices that in years past were not really considered an attack vector by many security experts.


RELATED: Switching to IoT Botnets Took APAC Businesses Offline, Reveals Nexusguard DDoS Research.


The September and December cyber-attacks involved the targeting of an unknown network (or group of networks) by nefarious actors utilizing what has now become known as the Leet botnet. Initially mistaken for malware of the Mirai variety due to its heavy reliance on IoT devices, it has since been discovered that the Leet botnet is not only different, but potentially more powerful.

What do the three episodes have in common? They all involved targets of DDoS attacks where throughput was measured in excess of 450 Gbps — a phenomenal amount of data merely dreamed of by attackers a decade ago. They all were largely powered by IoT nodes, which is significant as the proliferation IoT devices seems to be growing exponentially.

So, what are officials charged with securing their respective enterprise networks supposed to do in the face of these newly formulated attacks that can have such a devastating impact on network uptime and performance? According to Juniman Kasman, CTO at Nexusguard, “It’s possible to minimize the damage by detecting and blocking IoT DDoS bots. After more than two years of efforts, our research team has identified the source IPs of millions of vulnerable/hackable IOT devices across the world.”

It’s possible — based on heuristics of previously reported IoT botnet attacks — to blacklist the source IP addresses of IoT devices utilized in new botnet attacks. Doing so allows network security infrastructure (firewalls, etc.) to block incoming/outgoing traffic to/from said IP addresses. However, this is not a fix all solution as blocking all known botnet related IP addresses is next to impossible due to the dynamic nature of modern day botnets.

Thanks to IPv6 and the large pool of IP address space available to IoT devices, there will always be a range of IP addresses available to botnet creators not previously seen by target security infrastructures. According to Kasman, the previously mentioned Mirai botnet is capable of attacking at the application layer of the TCP/IP stack – something that in years past was not very common. Blacklisting a range of IP addresses may be rendered moot in the near future as botnet creators utilize application protocols such as STOMP to flood target networks with unsolicited connection requests, thereby devouring precious network resources.


RELATED: Massive DDoS Attacks Disable Internet Access Throughout Liberia. The attacks exceeded 500 Gbps.


If blacklisting IP addresses is insufficient, then what options are available to security administrators? One solution gaining popularity is shifting to a cloud-based security infrastructure.

In the case of the Mirai botnet, nefarious manipulation of STOMP was utilized to a high degree of success — which should continue to be achieved by attackers so long as businesses continue to use on-premise security hardware. This is largely due to the network resources utilized even when the hardware is successfully terminating TCP connections. If an on-premise network firewall is correctly configured to block certain types of traffic — such as malicious STOMP traffic — it is still using up valuable network resources as it examines each packet and accompanying packet header. But when a network security infrastructure is in the cloud, TCP connections are terminated there which unshackles the targeted network’s upstream connection.

The IoT powered botnet is one of the more creative innovations spawned by network attackers, and the innovation appears to be in its infancy. As IoT botnets continue to mature with each successful attack, the only recourse may be a cloud-based security infrastructure.


RELATED: Whitepapers on DDoS Mitigation and DDoS Protection. Internet security, security trends, DDoS attack trends, and DDoS attack reviews.


One industry expert speaks to the growth and severity of DDoS attacks overall, and what organizations can expect in 2017 and over the next couple of years.

“There’s roughly 50 million DDoS attacks occurring annually, according to Verisign” says Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures. Cisco projects that a more modest 17 million DDoS attacks will occur annually by 2020. “Based on growth trends and the sheer volume of DDoS attacks being observed, we believe that DDoS attacks are the most dangerous cyber threat to every organization in the world. They are the worst venom used by hackers to harm others.”

“If there’s ever such a thing as a ’10’ on the Richter Scale of cyberquakes, then it will surely be a DDoS attack” adds Morgan. “There are hacks that are designed to infiltrate networks, and to steal money, intellectual property and trade secrets — and then there’s the DDoS attacks which are aimed at burning down the house.”

Brad Casey is a freelancer writing about any and all things IT and cybersecurity related.