Verisign report – The rise of DDoS attacks as a service

A new report published by Verisign provides useful data related to the recent evolution of DDoS attacks and the services that offer them.

DDoS attacks are even more dangerous for every organization that exposes its resources and services on the Internet, recent attacks against Sony PSN network and XBox live service demonstrate it.

DDoS attacks despite could cause serious damages to victims are quite easy and cheap to run, according to the latest Verisign’s Distributed Denial of Service Trends report an attack can cost between $5 (USD) per hour or as low as $2 (USD) an hour.

In the underground it is quite easy to hire hackers to run DDoS attacks, massive and longstanding attacks can be run for as little as $800 a month causing serious problems to the target.

“Since their inception in 2010, DDoS-for-hire capabilities have advanced in success, services and popularity, but what’s most unnerving is booters have been remarkably skilled at working under the radar,” according to the Verisign’s Distributed Denial of Service Trends report.

The experts noticed a significant increase in the number of attacks against specific sectors, Public–Sector organizations and Financial Services above all.

“Given the ready availability of DDoS-as-a-service offerings and the increasing affordability of such services, organizations of all sizes and industries are at a greater risk than ever of falling victim to a DDoS attack that can cripple network availability and productivity.”

The report highlights that bad actors that propose hit and run DDoS attacks use different public channels to propose themselves and their services.

The document explicitly refers the operators of the Gwapo DDoS service, which used YouTube and posted videos that featured actors reading a script explaining the DDoS service the way to contact the operators via email and hire them. In this specific case, the cost of DDoS attacks ranged from $2 per hour for one to four hours to $1,000 for a month-long attack, the report notes.

Recent analysis observed a dramatic increase of so-called hit and run attacks, a series of short bursts of high volume attacks, having a limited duration, and are arranged periodically.

Hit and Run DDoS attacks are in nature “on demand attack“, the attackers limit the duration of the offensives to avoid the intervention of defense mechanisms, the typical DDoS defense solution works well for long DDoS attack, but their response time is too long to face with short DDoS.

“One of the more high-profile advertising efforts for a DDoS service in 2014 came from the DDoS group Lizard Squad,” according to the Verisign’s Distributed Denial of Service Trends report. “Since August 2014, the group has claimed responsibility for attacks against multiple online gaming services, including those for Sony Corp.’s PlayStation Network (PSN) and Microsoft Inc.’s Xbox Live. PSN and Xbox Live were both taken offline for significant amounts of time by DDoS attacks on Dec. 25, 2014. Following the successful Christmas attacks, Lizard Squad began advertising the operation of its very own LizardStresser DDoS service, which costs from $5.99 to $119.99 USD per month to employ.”

DDoS attacks represent a serious threat to SMBs and enterprises working in every industry, despite the information technology and cloud are privileged targets.

“DoS attacks are a global threat and not limited to any specific industry vertical, but the information technology and cloud verticals are prime targets because these services are used by multiple customers across both the private and public sectors,” said Ramakant Pandrangi, the vice president of technology at Verisign. “That makes it appealing to cybercriminals.”

The report revealed a sustained volumetric DDoS activity, with attacks reaching 60 Gbps/16 Millions of packets per second (Mpps) for User Datagram Protocol (UDP) floods and 55 Gbps/60 Mpps for Transmission Control Protocol (TCP)-based attacks in the Q4 2014.

“During Q4 2014, Verisign’s IT/Cloud Services/SaaS customers experienced the largest volume of attacks, representing one third of all attacks and peaking in size at just over 60 Gbps for more than 24 hours,” 

UDP amplification attacks leveraging the Network Time Protocol (NTP) were most dangerous DDoS attacks.

“NTP is a UDP-based protocol used to synchronize clocks over a computer network,” explained Pandrangi. “Any UDP-based service including DNS, SNMP, NTP, chargen, and RADIUS is a potential vector for DDoS attacks because the protocol is connectionless and source IP addresses can be spoofed by attackers who have control of compromised or ‘botted’ hosts residing on networks which have not implemented basic anti-spoofing measures. Many organizations do not use or trust external systems for their NTP, so in this case the solution can be as easy as restricting or rate-limiting NTP ports inbound and outbound to only authenticated, known hosts.”

Enjoy the report!

(Security Affairs –  DDoS attacks, cybercrime)