DDoS Attacks: On the Rise and Growing in Sophistication

In a one-week span in September 2019 alone, distributed denial-of-service, DDoS, attacks took down a popular gaming service and one of the world’s most visited websites. Botmasters faced justice in court, and protesters in Hong Kong saw their online forums targeted. This really demonstrates how DDoS attacks are a persistent threat— the targets, motivation, tools, and techniques are almost limitless.

A common attack involves the attacker, a command and control, a botnet (i.e. exploited computers), and the victim. You can review a recent article, What is a DDoS attack?, for a little background and categorized by method.

IoT botnet

• On September 6, Wikipedia—the second most visited website in the world, with 1.22 billion monthly visitors—suffered a DDoS attack that led to the service being offline for some users for up to nine hours over the course of two days. It has been reported that an IoT botnet was behind the attack.
• On September 5, a 21-year old hacker went before a judge to confess his role in creating and operating the highly effective Satori botnet. According to a report in The Register, the attacker, “turned thousands of hacked devices into a 100 Gbps+ DDoS-for-hire cannon”.

Satori is a DDoS botnet that NETSCOUT has studied extensively for years. In fact, in January 2018, our ASERT team not only looked at the history of IoT botnets, but also took a detailed look at the evolution of Satori. As the team noted, “Each new version offers a fresh combination of targeted platforms, propagation techniques, and attack types. Contrasted with traditional software, in which features are added incrementally, Satori seems to go both forward and backward. Digging into the history will provide insight into this continually evolving threat.”

DDoS-for-hire

• On September 7, the incredibly popular World of Warcraft Classic was taken offline by a DDoS attack. Gaming platforms like Xbox and PlayStation are frequent targets, and attacks by and between players are quite common as well. What makes this attack noteworthy is that the group responsible apparently gave warning and bragged about it throughout as a form of advertisement—in other words, it was a DDoS-for-hire service hawking its wares.

These days, DDoS attacks are often powered by professionally managed DDoS-for-hire services known as booters or stressers, which is reflected in the attack motivation findings. For example, the top motivation cited for attacks in 2018 was criminals showcasing their capabilities to potential customers.

Online protest, or “hacktivism”

• On September 2, Bloomberg reported that, “An online service used by Hong Kong demonstrators said a large digital attack that knocked out its servers briefly over the weekend was unprecedented and originated in some cases from websites in China”. The group posted a statement detailing the DDoS attack, stating that “a flood of traffic disabled a site by overwhelming its computers”. Total requests to the site hit 1.5 billion and unique visitors surged to 6.5 million per hour, the group reported.

For two decades, at NETSCOUT, we have tracked how DDoS attacks have been used as a form of online protest. “Hacktivism” has been enabled by the development of free online tools that enable anyone with a grievance or issue to easily launch an attack. Beyond do-it-yourself tools, we’ve also tracked the emergence of booter/stresser services that sell DDoS attack services, as any SaaS provider would. They offer different levels of capabilities and support, sophistication, and size. In some cases, you can even try before you buy. This combination of do-it-yourself tools and cheap for-hire attack services have driven the explosion in DDoS attack frequency.

Politically-motivated attacks

The 14th annual Worldwide Infrastructure Security Report found that political motivations were a driving force behind DDoS attacks. In 2018, 60 percent of service providers witnessed attacks traversing their networks that were targeting governments, up from 37 percent just last year. As political instability increases around the world, we can expect DDoS to continue to be used as a form of protest.

It’s hard to believe the magnitude of these events and a great reminder to organizations to not only have the proper protections in place, but a complete understanding of the entire threat landscape going forward.