Distributed Denial-of-Service, DDoS Denial of Service

Distributed denial-of-service attacks DDoS first appeared in the news in December 1999; and this case was related to a trin00 system based on the use of a botnet. These attacks are evolving today, but the principle remains the same: hundreds and thousands of geographically distributed hosts begin to bombard with empty server requests, after which the latter begin to experience overload and cannot process legitimate requests in a timely manner. All the while, manufacturers have been trying to develop products that effectively counter DDoS.

DoS and DDoS attacks are common in the world of Internet security. First, they do not target vulnerabilities that can be fixed; secondly, each individual package is quite legitimate - only their totality leads to devastating consequences, and thirdly, such attacks are long-lasting - they last several hours or days, instead of several seconds or minutes.

For years, the DoS and DDoS attacks were not given enough attention as they were considered niche. This changed dramatically in 2011, when the Anonymous group chose DoS/DDoS attacks as the main method of attack. Encouraged by the power and devastating consequences of such an attack, the Anonymous group turned it into the main method of struggle, attracting the attention of not only the security community, but also the general public. Despite the fact that the group's activity decreased in 2012, it laid the foundation for the further development of this type of attack. Many groups of hackers began to use DoS/DDoS - hacktivists, financially motivated criminal organizations and even government agencies became interested in the opportunities.

Types of DDoS attacks

• Errors in the program code for the exploitation of which special exploits are used - programs, or code fragments that exploit vulnerabilities in, during an ON attack. WinNuke and Ping of death are examples of exploits that are unable to establish control over the enemy's system, but successfully carry out a ddos attack.
• "Undercheck" of user data - leads to increased long-term consumption of processor resources, or to the allocation of a large amount of RAM (up to the exhaustion of processor resources and available memory).
• Flood (from the English flood - "overflow") - a large number of haphazard and meaningless questions to the system in order to disable it (reasons - exhaustion of system resources: memory, processor or communication channels).
• Attack of the second kind - causes a false response of the protection system and leads to the inaccessibility of the resource.

According to analysts, in Gartner 2013, up to 25% of distributed denial-of-service attacks will target specific applications. With the help of targeted DDoS attacks and social engineering, fraudsters are trying to penetrate banking systems, analysts warn.

The first such attacks against banks were noted in the United States in the second half of 2012. Through Internet channels, up to 70 gigabits of noise traffic were sometimes sent to banking sites per second. Until now, most attacks at the network level have absorbed no more than five gigabits per second. Moving to the application layer and increasing the intensity of attacks led to the complete impossibility of using sites.

But the main task of DDoS attacks, according to analysts, is to distract the attention of bank security services. The Gartner report provides examples of fraudsters entering into trust with bank customers by posing as police officers or bank employees tasked with helping a client move to a new account.

Analysts recommend the introduction of tiered technologies for protection against DDoS attacks, fraud prevention and identification.

Theoretical foundations

• DoS and DDoS attacks. Part 1 Theoretical Basis

• DoS and DDoS attacks. Part No. 2 Opponent Arsenal

• DoS and DDoS attacks. Part# 3. Scanning

Attack Tool Trends

DDoS - DIY

Tools for organizing DDoS attacks have become a subject of trade. Of course, they cannot yet be found in free sale in online stores, but on illegal sites you can find a huge number of different options - DDoS tool packages, price lists and even DDoS attack services. The availability of such DDoS packages has reduced the requirements for organizing network attacks and attacks on applications. Anyone from individuals to criminal cyber organizations can easily set up a botnet to launch an attack.

DDoS Attack Toolkits

Tool packages that do not require writing code or being an experienced hacker allow beginners to easily configure a botnet. A tool package for DDoS attacks is a software package consisting of two components - a bot designer and a management server.

• Bot Builder is a tool for step-by-step creation of bots with a graphical interface, which allows an attacker to create an executable file (bot) distributed to computers that will be part of a botnet. The created bot contains the address of the management server with which it can communicate.
• Command and Control (C&C) - is an administrator page that is used by an attacker to track the status of bots and send commands.

Immediately after installing C&C and preparing the executable bot, the attacker must transfer the bot to as many other computers as possible that will become part of the botnet, using public methods such as social engineering and passing-download attacks when a web browser, be it Internet Explorer or Chrome, is used to trick the user into downloading and running malware. As soon as the army of bots reaches the desired size, it is possible to launch an attack.

Like any professional software developers, developers of DDoS attack tools improve their products and release new versions, which are then published and sold. In the world of illegal software, most such packages are versions of other bots whose executable files and/or source code has been changed and renamed. A group of tools produced from a common source is commonly referred to as a "family."

DDoS custom attacks

The prevalence of DDoS programs also contributed to the emergence of custom DDoS attack services. Criminal cyber organizations use the ease of using DDoS packages to offer services for performing such attacks on various illegal forums.

A typical "business scenario" of ordering a DDoS attack could include suggestions such as "disabling a competitor's website" or, conversely, applying "pay us to not disable your site" extortion.

Dangers of IoT devices

• University of Twente, Netherlands: In 2012, 9 billion IoT devices were produced and it is expected that in 2020 there will be at least 24 billion
• Cisco The percentage of internet traffic generated by non-personal computer devices is estimated to increase by nearly 70% to 70% by 2019.
• IoT devices compromised by malware can become a platform for unwanted traffic
• The computing power of IoT devices (home routers) exceeds the profile requirements for these devices
• Using an average connection speed of 15.85 Mbps (carrier data), approximately 37,890 devices are required to generate a 586 Gb/s DDOS attack

TCP Middlebox Reflection - 65-fold increase in attacks

Main article: TCP Middlebox Reflection

What the DDos attack is aimed at

To effectively protect against ddos attacks, it is necessary to distinguish between potential dangers. Depending on the attack object:

• Resource-intensive packets with fake addresses "clog" communication channels, which complicates or blocks access to the site of legitimate users. The wide bandwidth of communication channels will help protect against attacks of this type.
• If system resources are attacked, system performance is degraded, causing the system to slow or freeze. Attackers are well aware of what data packets need to be sent to the victim computer for download.
• ON Vulnerabilities are exploited by a destructive attack that can change the configuration and parameters of the system. Any unauthorized changes must be tracked and resolved. Your ddos protection script is used in each individual case.

Vulnerable elements are the server, firewall and Internet channel

• Servers are vulnerable for the simple reason that attackers often organize their attacks so that they consume more resources than those possessed by the server.
• An internet channel becomes vulnerable to attacks that target bandwidth depletion and are called "volumetric flood." Such attacks include UDP flood or TCP flood, which consume a lot of channel bandwidth.
• Although firewall is a security tool and should not be a vulnerability to a DoS/DDoS attack, during attacks such as SYN flood, UDP flood, and connection overflow, attackers can generate many states, which drain firewall resources until it itself becomes an infrastructure weak point.

Attacks on CDN

• Main article: DoS attacks on content delivery networks, CDN Content Delivery Network

Attack on the site

The goal is one - to "hang up" the system, disable your site. Competitors in the market deal with each other with the help of professional hackers. There is even a so-called ddos business. Protection against ddos attacks in such conditions is simply necessary. At one time, for example, the website of the Kommersant newspaper, the Ekho Moskvy radio station and even the Kremlin website were subjected to ddos attacks, and bank sites and online stores often become victims. Depending on the season, different sites are attacked.

Preventive protection against DDoS attacks becomes common practice. According to our experts, many companies that have faced attacks in the past defend against cyber attacks a month before the start of the "high" season for their business.

Protection must be activated at all levels:

• The provider can provide basic protection. We also recommend purchasing ddos-protected hosting. This is a tiered system that will protect your site from attack.
• Firewall and firewall will help protect against ddos attacks at the network level. With a ddos attack on the server, this will help recognize the threat and buy time to protect, and a small attack can be stopped by these means.
• It is important to use the current equipment, which will help protect against ddos at the hardware level. It is also necessary to ensure that the software does not have bugs and vulnerabilities.

DDoS attacks in Russia

• Main article: DDoS attacks in Russia
• Main article: DDoS attacks on banks in Russia

DDoS attacks in medicine

Main article: DDoS attacks in medicine

Protection against DDoS attacks

Main article: Protection against DDoS attacks

Destruction of Service, DeOS

The main article on this topic is published here.

2023

The largest DDoS attacks on Google and Amazon have been going on for 1.5 months

On October 10, 2023, Amazon, Cloudflare and Google (part of Alphabet Holding) reported the most powerful DDoS attack on their services in history. Information security experts say that such large-scale attacks can cause serious damage to the Internet infrastructure. Read more here.

The number of multi-vector attacks in the world in the first half of the year increased by 117% year-on-year

Multi-vector DDoS attacks are gaining momentum around the world. This was announced on August 24, 2023 by Storm Systems (StormWall).

Hackers are increasingly using this type of attack to harm companies in different countries. StormWall experts analyzed multi-vector DDoS attacks in the world following the results of the first half of 2023 and studied their scale, consequences and prevalence. According to the company's analysts, as of August 2023, the number of multi-vector attacks at the global level in the first half of 2023 increased by 117% compared to the same period in 2022. StormWall customer data was used for analysis.

Most multi-vector attacks in the world were launched on the financial sphere (28% of the total), (21 retail % of the total) and (public sector 16% of the total volume of cyber incidents). Also, multi-vector attacks were used by hackers to damage telecom the sphere (14%), entertainment (9%), transport industry (6%) and the sphere (4 health care %). Attacks on other industries accounted for 2% of the total.

In Russia, the situation also causes great fears. According to StormWall analysts, the total number of multi-vector attacks on Russian companies in the first half of 2023 increased by 136% compared to the same period in 2022. The largest number of multi-vector attacks was directed to the financial sphere (36% of the total), in second place the telecom sphere (25% of the total), in third place retail (14% of the total). Such attacks on the public sector accounted for 8%, on the entertainment sector - 7%, on the energy sector - 5% and on the oil sector - 4%, other industries 1% of the total number of cyber incidents.

Multi-vector DDoS attacks target several different network layers and elements of the organization's infrastructure. Hackers simultaneously launch attacks on the site, network and infrastructure of organizations in order to achieve the maximum possible destructive effect. Such attacks are incredibly dangerous for organizations and carry huge financial and reputational risks.

StormWall experts believe that at the moment multi-vector attacks are one of the most serious threats to business. Despite the small power of the attacks, they can cause enormous damage to companies through their wide impact on various company resources. Since many organizations are not yet able to repel such complex attacks on their own, hackers will continue to actively use them, which will lead to a further increase in such cyber incidents around the world.

"DDoSya": Powerful cyber attacks hit state institutions of Ukraine and NATO countries

Powerful cyber attacks hit state institutions of Ukraine and a number of NATO countries as part of the DDoSia ("DDoSia") campaign. In total, almost 500 resources were affected, as stated in a study by Sekoia, the results of which were released on June 29, 2023. Read more here.

Owners of the subscription DDoS attack service, which has been operating for 10 years, have been arrested in Poland

In mid-June 2023, Polish police from the Central Bureau for Combating Cybercrime detained two suspects of involvement in organizing business activities of DDoS subscription attacks. The service has been actively developing since at least 2013.

The arrests are part of the coordinated international Operation PowerOFF, aimed at stopping the activities of online platforms that allow anyone who wants to launch a massive DDoS attack against any target around the world for a certain DDoS-for-hire fee.

DDoS-for-hire are paid services that provide DDoS services. Such sites generate massive http requests to the target web project or service that overload the server and disconnect it indefinitely.

The operation was carried out in coordination with Europol, the FBI and law enforcement agencies in the Netherlands, Germany and Belgium under the leadership of the Joint Cybercrime Task Force.

Employees of the Polish Central Bureau for Combating Cybercrime arrested two people and conducted ten searches that helped collect valuable data from a criminal server located in Switzerland. Polish police also found substantial evidence of the functioning and management of a criminal domain on a computer belonging to one of the suspects.

Evidence collected from the suspects' servers revealed information about more than 35 thousand user accounts, 76 thousand login records and more than 320 thousand unique IP addresses associated with the DDoS-for-hire service. In addition, the police found 11 thousand records of purchased attack plans with the corresponding electronic addresses of service buyers who paid about $400 thousand, and more than 1 thousand records of attack plans worth about $44 thousand.^[1]

The most powerful DDoS attack in history was registered - 71 million requests per second

In mid-February 2023, Cloudflare announced that it had repelled a record DDoS attack with a capacity of more than 71 million requests per second.

According to the official Cloudflare website, on February 11-12, 2023, the company discovered and mitigated dozens of super-volume DDoS attacks. Most attacks peaked at 50-70 million requests per second, with the largest exceeding 71 million. This is the largest registered DDoS attack in history, the company noted.

At the same time, the DDoS attack exceeded the previous registered record of 46 million requests per second by more than 35%, which took place in June 2022. The attacks were HTTP/2-based and targeted websites protected by Cloudflare. The hacker attack on the computer system came from more than 30 thousand. IP addresses.

Cloudflare said the popular gaming provider, cryptocurrency companies, hosting providers and cloud computing platforms were attacked. The attacks in mid-February 2023 came from numerous cloud providers. According to information security experts from Cloudflare, a sufficiently large and powerful botnet can generate very large-scale attacks, but the development and operation of botnets requires a lot of investment and experience.

The company notes that in recent months, since November 2022, the scale, sophistication and frequency of attacks have increased. Volume attacks in excess of 100 Gbps increased by 67% compared to the previous quarter, and attacks lasting more than three hours increased by 87%.

According to the Association of Computing Technology Industry (CompTIA), volume attacks are actually the least common form of DDoS, their number is much less than attacks at the application and protocol level. DDoS mercenary services allow threat actors to carry out attacks relatively easily, and as Cloudflare reported, the more the customer pays, the more large-scale and prolonged attack on the target he will receive.^[2]

Russia took 4th place in the world in the number of DDoS attacks on government agencies and companies

According to the results of 2022, Russia took 4th place in the world in the number of DDoS attacks on government agencies and companies. This is evidenced by the data released on January 17, 2023 by StormWall, a cybersecurity company.

According to the study, the leaders in the number of DDoS attacks in 2022 were China and India. The share of the Russian Federation in the total volume of such cyber attacks is 8.4%.

StormWall analyzed attack rates on various industries in 2022 and determined that the majority of DDoS attacks in the world were directed at the financial industry (28% of the total number of attacks), telecommunications (18%), the public sector (14%) and retail (12%). In addition, attackers organized many DDoS attacks on the entertainment sector (10%) and the insurance sector (7%).

It is noted that the number of DDoS attacks on the financial sector has grown 18 times, on the telecom sector - 12 times, on the public sector - 25 times, on retail - 8 times. There was also a significant increase in attacks on other industries: the number of attacks on the entertainment sector increased 4 times, on the insurance sector 12 times, on the media - 30 times, on the education sector - 2 times and on the logistics industry - 4 times.

Most attacks in 2022 were carried out according to the protocol/ HTTP(HTTPS 78%). In second place are protocol attacks/(TCPUDP 16%), protocol attacks DNS amounted to 2%, the rest attacks 4%. The maximum power reached 2 Tbit/s or 1 million requests per second thanks to the use to botnets organize attacks. An important feature of 2022 year was the increase in the duration of attacks: in 2021, attacks lasted an average of 4 hours, and in 2022, attacks lasted an average of 8 hours.

According to experts, the number of cyber attacks on other industries will also grow systematically, while DDoS attacks will be used more often to disguise other targeted attacks to disrupt system performance and steal personal data. At the same time, at the moment there is no reason to predict a significant increase in attacks on other industries, since the attacks of politically motivated activists practically stopped by the end of 2022.

Experts expect an increase in the number of cyber incidents to 300% for the oil and gas sector and the energy industry in February and March 2023 due to the huge impact of these industries on the current political situation in the world.^[3]

In Denmark, hackers disabled the sites of the Central Bank and seven banks

On January 10, 2023, it became known that attackers had disrupted the websites of the central bank Denmark and seven private banks in the country. More here.

2022

The number of DDoS attacks in the world soared by 115%

In 2022, the number of DDoS attacks on a global scale increased by 115.1% compared to 2021. Such data are given in a study by Nexusguard, the results of which were published on June 27, 2023.

The authors of the report note that in 2022, cybercriminals continued to change their tactics, targeting application platforms, online databases and cloud storage systems. This has affected many companies as key workloads move to the cloud amid digital transformation.

Despite the fact that the total number of DDoS attacks on an annualized basis more than doubled, their maximum power decreased significantly: the result in 2022 was 361.9 Gbps, which is 48.2% less than the previous year. The average value decreased by 22.4%.

Cybercriminals continue to target critical infrastructure from communication providers, especially Internet service providers. This leads to far-reaching consequences, since organizations relying on these providers are also negatively affected, said Juniman Kasman, chief technology officer at Nexusguard.

The study showed that in 2022, the majority of DDoS threats - approximately 85.6% - were single-vector attacks. Approximately the same result was recorded in 2021. UDP and TCP attacks accounted for 72.5% and 23% of the total number of threats, respectively. At the same time, the number of UDP attacks compared to 2021 soared by 121.3%. It is noted that in the field of TCP there is also a significant increase in cybercrime activity, but specific numbers are not called. Attackers are adopting artificial intelligence and machine learning to predict the effectiveness of their campaigns.^[4]

The total number of DDoS attacks in the world for the year increased by more than 73%

On January 27, 2023, Qrator Labs, a company specializing in ensuring the availability of Internet resources and neutralizing DDoS attacks, presented statistics on DDoS attacks and BGP incidents in 2022.

According to the company, 2022 was not just a record year, but unprecedented in the number of DDoS attacks and their intensity. The minimum indicators of the last ten months of the past year were an order of magnitude higher than the peak values ​ ​ in the pre-February period.

At the beginning of 2022, most attacks were basic, and only in the 4th quarter, along with the growth of DDoS activity, we began to see an increase in the complexity of attacks. At a certain point, the basic attacks ceased to be effective: the industry learned to fight them, and the attackers began to escalate the complexity in order to achieve results. narrated by Alexander Lyamin, founder of Qrator Labs

Compared to 2021, in 2022 the total number of attacks increased by 73.09%. The most attacked sectors were the media (18.5%), banks (9.9%) and payment systems (13%).

Banks and payment systems are the most profitable sector in terms of organizing attacks, and the media is always at the forefront of an attack when any socio-political conflicts occur in society. noted Alexander Lyamin

The largest number of attacks occurred in the first quarter of 2022 - 43.2%, in the second and third quarters the number of attacks began to decline - 23.3% and 20.5%, respectively. In the fourth quarter, 13.11% of attacks were recorded.

The duration of DDoS attacks has increased tenfold in 2022, compared to 2021. So, if in the first quarter of 2021 the maximum duration attacks amounted to 10 hours, then in the same period of 2022 year this figure was equal to 10 and a half days. In addition to increasing intensity attacks beginning in the 4th quarter of 2022, there has been an increase in the complexity and sophistication of attacks.

If earlier the attackers sought to optimize the time of use of botnets, then, starting in 2022, resources became available to them to continue the attack for weeks on end. The quantitative peak of attacks has definitely already been passed: massive unpretentious attacks, which many resources quickly "knocked off their feet," have worked out their own. Now in the competition of armor and projectile, the next stage is expected: instead of mass, the attackers are faced with the task of ensuring performance. The sophistication of attacks will grow, and the methods of neutralizing them, which were effective yesterday, tomorrow will most likely not work. The number of attacks will begin to fall, and their complexity will grow. In 2023, we expect to strengthen Application Layer attacks - these are sophisticated attacks, the traffic of which mimics the behavior of ordinary users. Such attacks are extremely difficult to identify and neutralize. commented Alexander Lyamin

In 2022, the number of autonomous systems (AS) affected by traffic interceptions decreased by almost 2 times - from 4778 in 2021 to 2576 in 2022.

The number of Russian autonomous systems that announced other people's subnets, that is, intercepted traffic, also decreased from 871 ACs in 2021 up to 649 in 2022.

There is a positive trend - the number of routing anomalies - traffic interceptions, both erroneous and malicious, begins to gradually decline. This is due, first of all, to the fact that a number of telecom operators in 2022 introduced mechanisms for protecting against routing anomalies, such as RPKI (Resource Public Key Infrastructure), in addition, under pressure from Tier-1- suppliers, owners of client autonomous systems begin to more correctly configure their networks. supplemented by Alexander Lyamin

The IT infrastructure of the Serbian government failed after a massive DDoS attack

On January 7, 2023, the Serbian government reported massive DDoS attacks targeting the website and IT infrastructure of the country's Ministry of the Interior. Online services have been disrupted. Read more here.

FBI covered 48 domains of DDoS mercenaries

The US Department of Justice confiscated 48 domains and charged six suspects with administering boot services. In addition, the suspects are accused of using IP stressers against other people's networks and servers, which is a violation of the law. This became known on December 15, 2022.

Booters, also known as booter services, are on-demand DDoS attack services offered by enterprising criminals in order to disable websites and networks. In other words, booters are illegal use of IP addresses.

As special agents found out, FBI cybercriminals pay for the services of such services. cryptocurrency

And although almost all booter/stresser sites force the user to accept an agreement that prohibits the use of services for attacks, the owners of such platforms themselves advertise them on hacker forums.

Recently, the US Attorney's Office announced charges against six people for administering boot services. The suspects include one person from Texas, three from Florida, one from New York and another from Hawaii, who allegedly ran platforms RoyalStresser.com, SecurityTeam.io, Astrostress.com, Booter.sx, Ipstressor.com and TrueSecurityServices.io.

And as part of a larger operation against DDoS mercenaries, which received name Operation PowerOFF, FBI and international law enforcement agencies were able to confiscate 48 - Internetdomains used by boot services around the world. In addition, law enforcement officers are working to ensure that all confiscated domains have a message that the use of such services is^[5].

The most powerful DDoS attack in history hit Google

On August 18, 2022, Google reported the largest distributed denial-of-service (DDoS) attack ever recorded by the company. I tried to give one of the company's customers using its cloud services. Read more here.

Found a way to amplify DDoS attacks by 65 times

Analysts at Akamai reported that they are increasingly observing the use of reception in DDoS attacks, which allows them to be amplified 65 times. As a result, attackers, using very limited resources, can launch attacks of catastrophic proportions and disable the target infrastructure for a long time. This became known on March 16, 2022.

The reception was called TCP Middlebox Reflection - reflected attacks using intermediate TCP devices. An intermediate device is a network device that inspects packets or filters content exchanged by other Internet devices. In particular, such devices are used in the deep package inspection (DPI) system.

In August 2021, researchers from several American universities described an attack technology that uses such devices to amplify DDoS. The idea is to use vulnerable firewalls and content filtering policy implementation systems in intermediate devices using specially prepared sequences of TCP packets, to which these devices are forced to give a particularly massive response.

In particular, on a special 33-byte SYN packet, the system can be forced to issue a response of 2156 bytes, that is, the gain is about 65 times.

Akamai indicates that hundreds of thousands of intermediate devices have been identified around the world, defenseless against this method of operation.

This vector surpasses all popular methods of amplifying DDoS attacks, including those considered the most dangerous, such as reflecting UDP packets, etc.

There have already been attacks targeting banking, travel, gaming resources, as well as media and service providers. So far, however, the most powerful attack using this vector has reached an intensity of 11 gigabits per second, which is not so much today.

Those resources for which they turn out to be the most painful are attacked, - said Anastasia Melnikova, director of information security at SEQ. - As for low intensity, I believe it will take a very short time before we see a record-breaking attack using this vector[6].

Internet completely disappeared in Andorra after DDoS attack

At the end of January 2022, a hacker attack during a multi-day tournament on Minecraft SquidCraft Games brought down the servers of the only Internet provider Andorra Telecom of the European principality of Andorra. The provider was subjected to repeated distributed attacks by hackers on the computer system in order to bring it to a denial of service. The Internet throughout the state did not work for about half an hour, the Tom's Hardware edition notes. Read more here.

2021

The number of DDoS attacks per company increased by 3 times in 2021

On October 29, 2021, StormWall announced that the number of DDoS attacks on one company had increased 2021 times in 3.

The nature of DDoS attacks is constantly changing. StormWall experts are monitoring trends in the organization of DDoS attacks and have recently identified a number of trends. Experts found that from January to September 2021, the average number of DDoS attacks per company worldwide increased 3 times. StormWall customer data was used for analysis. In addition, the number of TCP attacks has increased. This is due to the fact that botnets have recently fallen in price, which allow you to launch attacks with a capacity of several hundred gigabits.

In the period from January to September 2021, the share of DDoS attacks on TCP protocols amounted to 45% of the total number of all DDoS attacks, and at the same time in 2020, the share of DDoS attacks over TCP protocol was only 14%. The share of attacks under the UDP protocol from January to September 2021 was 22%, while in 2020 this figure was 34%. A comparison of statistics shows that the proportion of UDP Flood attacks is declining, while TCP Flood attacks are growing rapidly and are becoming more and more popular among hackers. This trend is observed all over the world.

The changes also affected other types of attacks. From January to September 2021, the share of DDoS attacks using the HTTP protocol amounted to 30% of the total number of attacks, although in 2020 the share of this type of attack was 51%. Analysis of statistics shows that hackers have become less interested in attacks on sites at the application level (HTTP). This is due to the fact that at the end of October 2021, packet flood (TCP/UDP) is often more efficient and cheaper than HTTP flood, even if the target of the attack is a website, since there are many offers on the Internet to acquire access to powerful botnets for organizing attacks (over 200 Gbps), operating at the package level, at a low price (from $100 per day).

According to experts, due to the difficult economic situation in the world, hackers will continue to experiment with types of DDoS attacks, and will also try to reduce their costs of organizing cyber incidents. It is possible that cybercriminals will begin to experiment more actively with rarely used types of DDoS attacks that exploit vulnerabilities of specific applications and require less power in order to disable the victim: in the future, the proportion of such attacks may increase significantly.

The largest DDoS attack in history has been registered - it came from 70 thousand sources

In mid-October 2021, Microsoft announced the largest DDoS attack in history. The company claims the attack lasted more than 10 minutes, with brief bursts of traffic peaking at 2.4 Tbit/s, 0.55 Tbit/s and 1.7 Tbit/s. Read more here.

Tet: DDoS attacks now last longer

Tet on March 10, 2021 shared the main challenges in the field of cybersecurity in 2021, and also compared their level of danger with 2020.

The main challenges to cybersecurity in 2021 will be related to viruses in emails, thoughtful phishing campaigns, loosely protected end devices on which people work from home, as well as the growing popularity of e-commerce.

In 2020, Tet (formerly Lattelecom) prevented 2,400 DDoS attacks (Distributed Denial of Service attacks), and also blocked 140,000 malicious emails, which is 50% more than a year earlier.

Looking at the statistics of 2020, we see that the pandemic has also affected cyberspace, as both the number of viruses and attacks have grown. According to Tet, the most popular period for DDoS attacks was the second quarter of 2020, in which a massive transition to work from home began. In the third and fourth quarters, cybercriminals focused on attacks against financial institutions and critical infrastructure of states, says Tet IT Security Manager Uldis Libietis.

According to Tet analysts, DDoS attacks now last even longer - if they previously took tens of minutes, now hackers can attack the company for several hours and then repeat the attack. Due to the growing popularity of e-commerce and digital technologies in general, the trend towards the complication of DDoS attacks will continue in 2021.

It is unrealistic to manage multiple data streams larger than 100 Gbit/s with few breaks over several days for one person or a small circle of people. Such actions are purposefully coordinated. One can only guess who is actually ordering and planning such attacks. One thing is clear for sure - in 2021 they will not disappear anywhere, "Uldis shares.

Another notable trend is compromised software. As of March 2021, IT giants are also suffering from these types of attacks.

IT solutions are often based on software written by third parties and consisting of products from many small developers or open source. Hackers use this to get into large systems using small links in the solution chain. We expect an increase in such incidents in 2021, "says Uldis.

A similar situation has already occurred in 2020 with SolarWinds Orion, when many companies, including Microsoft and VMware, became victims using software from a reliable manufacturer that turned out to be compromised. First of all, this suggests that organizations that are themselves engaged in development will have to introduce new or radically change existing processes to control software components and the development process.

Until now, the problem of infected emails remains relevant. Since August 2020, Tet information security experts have seen a rapid increase in viral activity - the number of malicious files in emails has almost doubled (to 140,000). In recent years, the Emotet virus has earned special attention, the activities of which were stopped at the beginning of 2021 thanks to the coordinated work of several states at once.

An alarming trend is observed with the spread of viruses through.edoc and.asice files, which people open despite warnings. antivirus Tet experts also record increasingly thoughtful phishing campaigns. Translator Google and the like are working better and better, thanks to which strikers abroad can create better and more convincing letters in the advertizing Russian language.

Based on the data of 2020, as well as seeing how the situation with the pandemic and its consequences around the world is developing, as early as March 2021, it is clear that the end user and his devices are in the focus of cyber fraudsters.

Why try to break into an enterprise security perimeter, firewall or a well-protected cloud, if instead you can focus on the weakest protected link - a person? Old software, lack of virus protection, administrator rights, limited or no employee control make workers an easy target. To protect against threats, you will have to improve both the knowledge of workers and implement additional security solutions, adds Uldis.

2020

Rostelecom: amid the pandemic, the number of DDoS attacks on online trading has doubled

Over the 2020 year, the number of DDoS attacks on online stores has increased 2 times compared to 2019. This was announced on February 16, 2021 by the Roste lecom-Solar company. According to experts from the Cybersecurity direction of Rostelecom, the peak of hacker activity fell on the 4th quarter, when almost 40% of all DDoS attacks occurred. This is due to a sharp increase in demand for online shopping services, as the sales season and preparations for the New Year holidays begin during this period.

If successfully implemented, the damage from such attacks could average about 600 thousand rubles. per day for a large online store and 50-100 thousand rubles. per day - for a small one.

Online commerce has been in the focus of the attention of cybercriminals for several years. However, against the background of the introduction of various quarantine measures, the popularity of this industry has increased, which made it an even more attractive target for attackers.

The targets of DDoS attacks on retail remain: a blow to the reputation of the store, causing serious financial harm to the business, as well as extortion, when hackers make a weak indicative attack and demand money to prevent a larger failure. Sometimes a DDoS attack is used as a kind of "noise curtain," distracting the information security service of the victim company from another, more serious incident - for example, theft of confidential customer data.

Against the background of a sharp increase in demand for online services, attackers began to look for fast and cheap methods of organizing DDoS "here and now." At the same time, cybercriminals relied on the duration of attacks in order to "exhaust" the victim and probably disable her resources. The use of simple technologies to organize DDoS as a whole distinguishes 2020. This trend can be traced in the context of attacks not only on online retail, but also on other industries, - said Timur Ibragimov, head of Anti-DDoS services at Rostelecom Solar MSS.

During the reporting period, hackers preferred simple methods of organizing DDoS, but their tools became more diverse. If earlier more than 80% of attacks on online retail fell on UDP-flood, then in 2020 its share decreased to a quarter. The essence of the method is that the victim server receives a huge number of UDP packets that occupy the entire bandwidth. As a result, the server channel is overloaded and cannot process other requests.

SYN-flood, which accounted for less than 10% of attacks a year earlier, caught up with UDP-flood in 2020. In this case, when receiving a connection request, the victim server reserves its resources and waits for the completion of the connection, which never occurs. Such semi-open connections overwhelm the connection queue, forcing the server to deny service to real clients.

In general, the attackers tried to use the entire available arsenal of tools to implement the attack. In addition to SYN- and UDP-flood, TCP Reset Flood, fragmented packet attacks, DNS and NTP-amplification and similar tools were also actively used.

StormWall: during the pandemic, the number of DDoS attacks on online retail increased 4 times

On November 13, 2020, StormWall announced that it had conducted a study of DDoS attacks on the resources of online retail companies. During the study, data from StormWall customers working in different segments of e-commerce was used. Experts found that during the pandemic, in the period from February to October 2020, the number of DDoS attacks on online retail services increased 4 times compared to the same period in 2019. More detailed here.

Hackers blocked the website of the Central Bank of Belarus

On October 26, 2020, the National Bank of Belarus survived a cyber attack in which its website failed. Responsibility for the blocking was assumed by the anonymous hacker group "Cyberpartisans." Read more here.

New Zealand Stock Exchange down 4 days after cyber attacks

At the end of August 2020, the New Zealand Stock Exchange was hit by cyber attacks and did not work for 4 days in a row. Periodic interruptions began on Tuesday August 25, as a result of which trading in securities stopped before the end of the exchange day. Read more here.

Ukraine survived the largest DDoS attack in history. 1/10 of all networks were under attack

At the end of July 2020, it became known about the largest DDoS attack in the history of Ukraine. A tenth of all telecommunications networks in the country were under attack.

According to RBC-Ukraine, citing Deputy Secretary of the National Security and Defense Council of Ukraine (NSDC) Sergei Demedyuk, multiple attacks with bots lasted from 40 minutes to 1.5 hours for several days, reaching a value of about 780 Gbps. Hackers managed to disable 15% of the world's Internet. After the data leak, the real IP addresses of 45 sites with the gov.ua domain and over 6.5 thousand with the ua domain appeared on the darknet, Demedyuk said.

According to Demedyuk, there have not yet been such cyber attacks on Ukraine: hackers did not use the power of infected devices, but a streaming video stream to load the IP address. The purpose of DDoS attacks was to disrupt telecommunications providers, he said.

In addition, as the representative of the National Security and Defense Council emphasized, the attack was carried out not on specific addresses, but in whole ranges, while broken webcams were used.

Their default settings (for example, login: admin, password: admin) were one of the main reasons for gaining unauthorized access to remote control, said Sergei Demedyuk, adding that by the end of July 2020, the NSDC is now working to record all digital traces of this attack and collect data in various parts of the world where such attacks were recorded.

According to the Center for Cybersecurity at the National Commission for Regulation in the Field of Communications and Informatization (NCRI), in the second quarter of 2020, DDoS attacks caused 46% of cyber incidents in the public sector. At the same time, in the non-state sector, this share indicator was 1%.^[7]

Amazon repels largest DDoS attack in history

In mid-June 2020, it became known that in February Amazon, using the AWS Shield service, repelled the largest DDoS attack in history, which reached speed of 2,3 Tbit/s at its peak. Read more here.

2019

Schoolchildren stage massive DDoS attacks

On November 11, 2019, Kaspersky Lab announced the results of a study that showed a 32 percent increase in the number of DDoS attacks in the world in the third quarter compared to the same period in 2018. Approximately the same surge in cyber attacks occurred in comparison with the second quarter of 2019.

According to experts, schoolchildren were responsible for almost half of DDoS attacks in the third quarter. At the same time, Russia was among the leading countries where DDoS attacks on educational resources were discovered.

The most stormy day in this regard for the reporting quarter was July 22. Then 467 DDoS attacks were recorded. The calmest was on August 11 with 65 attacks.

In part, it was the activation of DDoS amateurs in the third quarter of 2019 that led to a tangible decrease in the number of "smart" attacks over these three months - technically more complex and requiring more ingenuity from attackers, the study says.

Kaspersky Lab calculated that for the 2018-2019 academic year, users were attacked more than 350 thousand times through electronic textbooks and abstracts. Experts point out that such viruses pose a greater danger to large companies than to ordinary users, and note an increase in hacker activity in the field of education around the world.

According to forecasts of the Russian antivirus manufacturer, in the fourth quarter of 2019 the number of attacks will probably grow again on the eve of the holidays.

The wave of attacks on resources from the education sector will stop by winter, but they will be completely left alone only by the summer, with the onset of the holidays, experts are sure.

Kaspersky The DDoS Protection Business Development Manager Russia Alexey Kiselev says that DDoS attacks are the second most popular type of attacks on small and medium-sized businesses.^[8]

The number of DDoS attacks in the world jumped 180%

The number of DDoS attacks in the world at the end of 2019 jumped 180% compared to 2018, according to Neustar, a company specializing in information security technologies.

Experts did not specify the number of denial-of-service cyber attacks and only reported that growth was observed in all categories of attacks. The highest dynamics was again recorded among attacks with a capacity of up to 5 Gbps.

The strongest attack in 2019 had a capacity of 587 Gbps, which is 31% higher than the maximum of the previous year. The maximum intensity of a DDoS attack in 2019 was measured at 343 million packets per second, which is 252% more than a year earlier.

However, despite the growing peaks, the average attack size (12 Gbps) and intensity (3 million packets per second) remained unchanged. The longest single attack of 2019 lasted three days, 13 hours and eight minutes.

Experts also noted an increase in the number of so-called smart DDoS attacks, which are carried out by very experienced cybercriminals, and attacks directly aimed at the network infrastructure.

In 2019, approximately 85% of all attacks used at least two threat vectors. This number is comparable to the figure for 2018; however, the number of attacks using two or three vectors increased from 55% to 70%, respectively, the number of simple one-vector attacks and complex four and five-vector attacks decreased.

Neustar also interviewed information security specialists, and 58% of them called DDoS attacks a growing front of cyber threats along with social engineering using email (59%) and ransomware viruses (56%).

Experts warn that due to the growing transition of employees of companies and government agencies to remote work, the number of DDoS attacks may increase.^[9]

Qrator Labs: Top Trends in Network Security and Internet Availability

On February 6, 2020, Qrator Labs presented trends in network security in 2019.

Market growth IoT means malefactors that they can exploit vulnerable devices if they wish, creating a significant bandwidth attacks - as happened in the middle of the year, when protocol WSDD was deployed to cause visible damage. The protocol, Apple ARMS which was used to obtain an amplification factor of about 35.5, was also visible in attacks on the Qrator Labs filtering network.

During 2019, amplifiers (PCAP) were identified, and in practice, a long-known attack vector using TCP amplification (replicated SYN/ACK flood) was recorded.

The technique of an Amplification attack is that a request is sent to a vulnerable server belonging to a third unsuspecting party, which is repeatedly replicated by this server and sent to the victim's website. In this case, LDAP and TCP protocols were used to amplify the attack.

Attacks involving the SYN-ACK amplification vector have become one of the most serious network threats, while until 2019 they remained only a theory. One of the first high-profile attacks using the SYN-ACK amplification technique was organized on an international hosting platform Servers.com. SYN/ACK amplification traffic reached peak values ​ ​ of 208 million packets per second, and the longest period of attack with continuous bombing with "garbage" traffic was 11.5 hours.

It is also quite interesting that the most commonly used reaction method in the past in the form of clearing all UDP traffic that virtually neutralizes a large proportion of attacks using amplification does not help neutralize the SYN-ACK vector at all. Smaller Internet companies have enormous difficulties in neutralizing such threats, as they require more comprehensive measures to combat DDoS attacks.

In 2019, a class of problems was identified related to the use of the BGP protocol to optimize the passage of networks of telecom operators. Many companies want to automatically control the flow of outgoing traffic, this allows them to significantly reduce costs. To this end, various devices are installed that use specific tactics for working with the BGP protocol, which can work only if filters are correctly configured around them to prevent route leakage. Unfortunately, there are few specialists who know how to correctly configure filters, and therefore optimizers constantly "break through" and routes leak in an unknown direction.

So, in January 2020, routes to Google, Facebook, Instagram from a provider from the Donetsk People's Republic, which was engaged in traffic optimization, were suddenly redirected to one of the traffic exchange points in St. Petersburg. Such incidents are dangerous not only by the occurrence of errors in the network, but by malicious interception of traffic (Man-in-the-middle attacks).

Recently, due to the purchase of BGP optimizers, such situations occur regularly. The industry of qualified network engineers actively advocates limiting the use of optimizers, since no one knows how to work with them. However, already in Russia, one can observe how many companies begin to purchase BGP optimizers to reduce traffic costs, which, in the light of the introduction of legislation on traffic exchange points and autonomous systems, can have a very unpleasant cumulative effect.

"Criminals can to monetize botnet- networks in several ways. The most common of them ̶ the implementation of DDoS attack services, mining cryptocurrencies use in targeted attacks ̶ in particular, for matching passwords to servers, or simply renting out a botnet. At the same time, we are witnessing the emergence of truly multifunctional botnets, a vivid example of ̶ Neutrino, which not only exploits vulnerabilities for server hacking and mining, cryptocurrency but also hacks other people's web shells, seizing control over resources already hacked by someone. As of February 2020, Neutrino is one of the three leaders in the number of attacks on honeypots, " Positive Technologies noted Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies

Despite the fact that mobile device manufacturers are trying to support as many versions of modern applications as possible, in 2019 it became noticeable that many of them still stop updating on older devices. To a greater extent, this applies to the popular browser - Chrome. As of February 2020, there are entire fleets of devices that run old versions of the browser, and new ones are becoming unavailable. These older versions of browsers contain vulnerabilities that can lead to the leakage of personal data and financial information.

On the other hand, Chrome continues to be actively updated on many devices, due to which Google presumably conducts A/B testing of the browser on users.

Everyone is used to believing that when the next version of the browser is released, all computers are automatically updated to it. However, this is not entirely true. Google simultaneously releases two minor versions of the Chrome browser (affecting less significant improvements and improvements) and updates some user devices to one, half to the other. Most likely, this is done to test the QUIC protocol, which is supported in Google Chrome. QUIC (Quick UDP Internet Connections) is an experimental Internet protocol developed by Google to replace the old WWW protocol stack. The vulnerability of QUIC is that its ill-conceived implementation in Internet services could weaken their protection against DDoS attacks. The kits popular with cybercriminals for organizing DDoS attacks have built-in UDP support, which can pose a greater threat to QUIC than to traditional TCP-based WWW protocols.

The Chrome testing situation shows how Google is developing next-generation network protocols. In a similar way, it is revealed which version of Chrome has better responsiveness, where various network parameters work better, which of the users opens the page faster. For users, this situation is significant from the point of view that in two separate people, sites can start opening a little differently. It is also an indicator of how quickly Google (or other companies, for example, Telegram) can deploy a new protocol, for example, to bypass locks, on all devices in the world.

"According to our estimates, the total number of DDoS attacks in 2019 has grown by about 1.5 times. This increase in the number of incidents was achieved by the growth of attacks on certain industries: banks, payment systems, crypto exchanges, online retail, dating sites. It can be observed that in the last year there has been a redistribution of certain markets between its individual players. And if big business can withstand attacks, then for medium-sized businesses this is a big problem: small companies often do not have free financial resources to use external protection solutions on an ongoing basis, so they are more often victims of DDoS attacks. " noted Artem Gavrichenkov, CTO of Qrator Labs

According to formal data from Qrator Labs, attacks on the media sector decreased by 7.59%, but the situation is somewhat more complicated than it seems. In late 2019 and early 2020, attacks on the media grew by an order of magnitude. In recent years, most Russian media have begun to use free or inexpensive means of protection against DDoS, in particular, foreign ones. Since budget protection often has an appropriate level of quality (due, in particular, to errors in its implementation), at the end of 2019, the industry saw many successful attacks on media sites. As a result, the attackers realized that most media sites can be easily brought down even by minimal efforts, and recently they have begun to do this simply for the sake of entertainment.

"In 2020, there will be a continuation of the situation with attacks on the media. Already at the beginning of the year, a large number of information feeds appeared, many of which caused a lively response in the minds of people, both positive and negative. Violent bursts in the information space are usually followed by active hacking attempts and DDoS attacks, for which the media industry may not be ready, " noted Artem Gavrichenkov, CTO of Qrator Labs

Data Positive Technologies, a company specializing in software development the provision of services in the field, cyber security shows that from the point of view of the attacked cybercriminals industries, the leadership at the end of the year remained with state institutions, companies industrial and financial industries, as well as medical scientific organizations. In most cases, the facility cyber attacks remained during the year, and computers the network servers equipment of the target companies.

"To protect against mass attacks, just follow the typical recommendations. But this approach does not work with complex targeted attacks by professional hackers. It is necessary to study their techniques and tools, implement specialized protection systems that can detect such tools and techniques: SIEM (Security information and event management), NTA (Network traffic analysis), sandboxes (Sandbox), etc. And of course, it is important to improve the practical skills of information security service employees, because confronting complex threats requires high personnel qualifications. " noted Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies

According to Positive Technologies, attacks on organizations' web resources were among the TOP-3 most popular among cybercriminals, but did not exceed 20% in total. State institutions and, in particular, portals of state and municipal services were most susceptible to them.

"An attack on a web application is one of the most popular attack methods in principle. As part of security testing, our experts regularly confirm the facts of possible penetration into the networks of companies through vulnerable sites. But if an organization uses means to protect, then the likelihood of a successful attack is significantly reduced. There is a chance to react to the threat in time and block the attacker. Unfortunately, government sites contain many vulnerabilities, and the protection of web applications is not given due attention. The focus is on the security of sites of state or regional importance, while many less significant resources are still vulnerable. Criminals know and use this, for example, to steal information, daface, mining, or simply to debug new attack tools before conducting attacks on larger targets. Sites of educational and medical institutions can also be considered the most vulnerable, " noted Evgeny Gnedin, Head of Information Security Analytics at Positive Technologies

China again uses the Great Cannon for DDoS attacks

According to analysts AT&T Cybersecurity, the Chinese authorities have reactivated the Great Cannon, a powerful tool for DDoS attacks that was last used two years ago^[10][11]

"The Great Cannon" was last used in 2017^[12], when^[13] used it for DDoS attacks on Mingjingnews.com, a Chinese news site in New York. Prior to that, the tool was used to organize DDoS attacks on GitHub, as it hosts utilities that help Chinese users bypass the national firewall, and GreatFire.org is a portal dedicated to Internet censorship around the world.

According to a 2015 report compiled by Citizen Lab, the Great Cannon and the Great Chinese Firewall used similar code and were located on the same servers. Thus, the DDoS tool intercepted traffic intended for sites located in China and inserted JavaScript into responses received by users in browsers. This malicious JavaScript was executed in browsers and secretly accessed the victim site, creating gigantic bursts of traffic.

Now AT&T Cybersecurity experts claim the Great Cannon is being used again. This time, the LIHKG.com website has become a target for attacks - an online platform where organizers of protests in Hong Kong share information about the locations of daily demonstrations. The site is also a gathering place for Hong Kong residents, where they publish stories about police abuses and where they upload video evidence.

According to analysts, the first DDoS attacks on LIHKG were detected on August 31, 2019, and the last attack was recorded on November 27, 2019. The researchers write that the August attacks used JavaScript, very similar to code that was previously discovered, during attacks on Mingjingnews.com in 2017.

The number of technically complex DDoS attacks in the second quarter increased by 32%

On August 5, 2019, it became known that the number of technically complex DDoS attacks increased by 32% compared to the same period in 2018 and amounted to almost half (46%) of the total number of these cyber threats.

As reported, an attack lasting 509 hours (21 day) was recorded in the second quarter. This is a record: it was previously 329 hours. In general, the share of long-term attacks has become less than at the beginning of the year.

The number of DDoS attacks aimed at resources located in Russia remained, compared to the second quarter of 2018, at about the same level, down 9%.

Usually attackers who try to "put" sites for entertainment go on vacation until September. But the professionals who are behind technically complex attacks, on the contrary, as our statistics showed, work even more intensively in the summer. Companies should pay attention to this. Many organizations are well protected from large amounts of unwanted traffic, but this is not enough in the case of "smart" attacks that require recognition of illegitimate activity, even if there is not very much of it. Therefore, we recommend that companies make sure that their DDoS protection solutions are ready to reflect this type of cyber threat. told Alexey Kiselev, Business Development Manager of Kaspersky DDoS Protection in Russia

Kaspersky Lab advises taking the following measures to protect against DDoS attacks:

• Ensure that corporate websites and IT resources are able to handle large amounts of traffic
• Use specialized security solutions.^[14]

The palm of the championship in the number of attacks directed against goals in a particular region is still in favor China (63.80%), in second place is the same (USA 17.57%), and in third - (Hong Kong 4.61%).

Fluctuations in the top three are insignificant, but countries from which DDoS activity is not expected again appeared in the ranking: this time they are the Netherlands (4th place with 1.54%) and Taiwan (7th place with 1.15%).

As of August 2019, a dozen leaders in the number of unique targets roughly correspond to a dozen leaders in the number of attacks: China (55.17%), the United States (22.22%) and Hong Kong (4.53%) also took the first three places. In addition to them, Taiwan (1.61%) and Ireland (1%) were included in the top ten according to this criterion.

The most stormy month in this quarter was April 2019, which included the peak of attacks, the quietest - the next May.

Statistically, the most attacks were committed on Monday (17.55%), and the calmest day was Sunday (10.45%).

The largest share of garbage traffic in the quarter was still SYN flood (82.43%), followed by UDP (10.94%). However, HTTP and TCP traffic changed places: the latter was knocked out ahead (3.26%), and the share of the former was only 2.77%.

The shares of Windows and Linux botnets were almost unchanged from last quarter.

In the geographical ranking in terms of the number of botnet command servers, the United States is in the lead (44.14%), the Netherlands is in second place (12.16%), and the United Kingdom is in third (9.46%). Interestingly, Russia left the top ten this quarter.

The indicators of the top three countries in the number of attacks directed against targets in a particular country did not change much this quarter: China is still in first place, although its share decreased by about 4 pp and amounted to 63.80%. In second place is the United States with almost the same share (17.57%), and in third is Hong Kong, whose "contribution" to the total number of cyber attacks (4.61%) has also changed very little.

The trend of past quarters continues: unexpected guests reappear in the top ten. This time, these are the Netherlands, which took fourth place with 1.54%, and Taiwan, which turned out to be 7th with a share of 1.15%. And if the Netherlands was already in the top ten in 2016 or coming close to it, then for Taiwan this is a fairly significant increase in indicators. France and Saudi Arabia left the top ten, and Canada dropped from 4th place to 8th, although in numerical terms its share even increased, amounting to 0.93%. Vietnam finished last in the top ten (0.68%), while the UK climbed one spot in the rankings to sixth (1.20%). Singapore is still fifth, although its share has also grown (to 1.25%).

The distribution of the number of unique targets more or less corresponds to the distribution of the number of attacks. The first four places coincide: China from 55.17% (its share decreased, and also by about 4 pp), the United States from 22.22% (their share increased by about 1 pp), Hong Kong from 4.53% (the share decreased by only 0.2 pp) and the Netherlands from 2.34% (here the changes were significant, because last quarter the Netherlands did not even enter the top ten).

In the area of ​ ​ geographical distribution of botnet command servers, the leadership still remains with the United States (44.14%). In addition to them, the Netherlands (12.16%) and the United Kingdom (9.46%) entered the top three. China was only in fifth place (4.95%), and South Korea's share was 1.80%, making it the penultimate in this ranking. In addition, Greece got into the top ten in this quarter (1.35%), but Romania fell, and - which is especially unexpected - Russia.^[15]

Hacker given 2 years in prison for DDoS attacks on Sony

In early July 2019, a 23-year-old hacker from Utah Austin Thompson was sentenced to 27 months in prison and paid a fine of $95 thousand for a series DDoS of attacks on gaming servers Sony and other companies. More. here

Having defeated the custom DDoS service, the authorities decided to punish its customers

Europol and other law enforcement organizations have begun active searches for users of custom DDoS attack services. This was a continuation of the international operation Power Off, as a result of which in April 2018, detectives neutralized the largest DDoS service Webstresser.org and arrested its owners^[16].

As a result of the operation, information about clients fell into the hands of law enforcement officers Webstersser.org. At the time of its neutralization, the service had 136 thousand registered customers, and in total law enforcement agencies received data for 151 thousand users of the DDoS service.

Attacks were ordered on a variety of objects, from gaming servers to banks and government agencies.

Europol announced Great Britain that police were now conducting a large-scale operation to find Webstresser customers. Investigators have already visited several suspects and seized at least 60 personal devices for analysis. Charges are being prepared against 250 people - users of both Webstresser and other similar services.

2018

Drop in the average duration of DDoS attacks to 2.5 hours amid an increase in their intensity

February 12, 2019, specializing Qrator Labs in countering - and DDoSto the attacks ensuring the availability Internet of - resources, presented a report on the state of the network safety in 2018-2019.

Key observations from 2018:

• The average duration of DDoS attacks fell to 2.5 hours;
• 2018 showed the presence of computational power capable of generating attacks with an intensity of hundreds of gigabits per second within one country or region;
• The intensity of DDoS attacks continues to grow along with the simultaneous increase in the proportion of attacks HTTPS using (); SSL
• Most modern traffic is generated on mobile devices, representing a task for DDoS organizers and the next challenge for network security companies;
• The BGP protocol became an attack vector, 2 years later than expected;
• DNS manipulation is still the most destructive vector of attack;
• Amplifiers such as memcached and CoAP are expected to appear;
• All industries are equally vulnerable to cyber attacks of any kind.

2018 began with record-breaking memcached amplification attacks, marking the beginning of another era of DDoS attacks. 2018 demonstrated that, in addition to manipulating BGP, terabit DDoS attacks can disable mid-range Internet providers, if not the largest.

High-intensity DDoS attacks concentrated in one region pose a serious threat. Similar attacks with an intensity of 500 Gbps, generated 100% within one region, were already recorded in 2018. Such events will increasingly occur in many countries and regions whose networks have become fast and efficient. Europe, Russia, China, America, India - all these huge territories already have sustainable networks, ready to be aimed at disabling regional goals.

The number of encrypted attacks has grown significantly. In previous years, such attacks were rare, and attackers used primarily the old HTTP vector. Bots capable of using ciphers are the primary danger, as they have wide learning abilities.

BGP is becoming more and more popular among attackers who are increasingly using it to intercept traffic and redirect users to fake phishing pages. At the same time, encryption will not protect users from deception, since attackers have learned to sign SSL certificates, and therefore such pages do not arouse suspicion among an ordinary visitor due to the lack of a clear difference between a real, legitimate web page and a fake one.

DNS manipulation, such as cache poisoning (damaging the integrity of data in the DNS system by filling the DNS server cache with data that does not come from an authoritative DNS source), very often accompany interception attempts using BGP. In 2018, Qrator Labs witnessed the theft of a variety of cryptocurrencies organized using a combination of these two protocols.

DNS amplification was and remains one of the most well-known vectors of link-layer DDoS attacks. In the event of an attack with an intensity of hundreds of gigabits per second, there is a considerable probability of overloading the connection to the higher-end provider.

Botnets developed significantly in 2018, and their owners came up with another lesson - clickfrod. With the improvement of machine learning technologies and getting headless browsers in the hands (working without network headers), clickfrod has become much easier and cheaper in just two years.

Machine learning has already reached the mass market and has become quite affordable. In this regard, the emergence of the first, based on ML algorithms, DDoS attacks is expected in the near future, especially given the declining cost of management and the increasing accuracy of analytics of such networks.

Boats

Identification becomes an extremely serious problem and task on the modern Internet, since the most advanced bots do not even try to portray a person - they control him and are in the same space as him. The problems of botscanners and many other subspecies lie in a very important economic component. If 30% of traffic is illegitimate and comes from unwanted sources, then 30% of the cost of supporting such traffic is useless.

Parsers and scanners, part of a broad bot problem, only reached the horizon in 2018. During the parsing epidemic, which Qrator Labs observed in Russia and the CIS throughout the second half of 2018, it became obvious that the bots had advanced far in encryption issues. One request per minute is quite normal intensity for a bot, which is very difficult to notice without analyzing requests and outgoing response traffic.

Reducing an attacker's encouragement is the only way to counter. Trying to stop bots will bring nothing but time and money spent. If anything clicks on what makes a profit, you need to cancel these clicks; when parsing, you can turn on a layer of'fake' information through which an ordinary user can easily go in search of correct and reliable information.

Internet of Things

IoT as an industry has not made significant progress toward improving its overall security for 2018. Researchers have discovered a class of industrial equipment that connects massively to networks and has significant vulnerabilities. Recent discoveries regarding the CoAP protocol indicate that there can be a lot of such unclosed operating points.

IoT amplifiers are an obvious further development of the idea of ​ ​ vulnerable services. Moreover, home connected devices are only the statistical tip of this iceberg. There are other groups of'connected devices' that communicate using protocols that are chosen unpredictably and do not provide sufficient protection for devices.

Open vulnerabilities in the industrial Internet of Things will continue to be exploited, provided that the current approach to development is unchanged.

For a long time now, we have been living in a world of multifactor attacks that exploit the attacking capabilities of several protocols at once to get the target out of working order.

DDoS attacks have long been a major problem for only a limited number of business industries, such as e-commerce, trading and exchange, banking and payment systems. But with the continuing development of the Internet, DDoS attacks of increased intensity and frequency are observed in absolutely all parts of the Internet. The era of DDoS began with a certain threshold for the bandwidth of home routers and, unsurprisingly, with the advent of a microchip in every physical thing around the attack landscape began to change rapidly. 2018 was a year of opportunity for the "dark side." Qrator Labs saw an increase in attacks with their simultaneous complication and increase in both volume in network terms and frequency.

Qrator Labs Key Trends in Internet Security

Qrator Labs, specializing in countering DDoS attacks and ensuring the availability of Internet resources, in March 2018 published an overview of the main trends in 2017 in the field of Internet security in Russia and in the world. The report describes top trends and challenges in web resource availability and security associated with threats of DDoS attacks and hacks.

In 2017, an increasing diversification of threats was recorded due to an increasing number of possible attack vectors. The range of critical vulnerabilities in today's global network is so wide that attackers can choose different ways to create problems for almost any organization.

If 2016 could be called the year of botnets and terabit attacks, then 2017 was the year of networks and routing. Incidents such as the Google-induced leak of Japan's network routes, the interception of foreign Level3 traffic in the United States and Rostelecom in Russia, as well as many others, demonstrate persistent and high risks associated with the human factor, based on insufficient automation of processes.

Internet of Things

The main difference between 2016 and 2017 is that attackers switched their own attention from hacking individual devices to attacks on clouds and IoT platforms. The Internet of Things gives attackers access to thousands of fully functional devices at the same time, often such penetrations go unnoticed. Cost-effectiveness is the reason why we expect an increase in the frequency of such attacks on entire clouds and platforms in 2018, said Alexander Lyamin, CEO and founder of Qrator Labs.

Many IoT devices are still hacked using trivial methods, such as vulnerabilities in the web interface. Almost all such vulnerabilities are critical, and the manufacturer has extremely limited ability to quickly create a patch and deliver it as an update.

Hacks of IoT devices have increased since the Mirai toolkit became the base framework for creating a botnet in 2017. Experts predict the appearance of even larger devices in number and scale, and, of course, much more dangerous botnets in terms of capabilities. Qrator Labs expects the active appearance of even larger botnets than Mirai, capable of flood attacks even without the use of amplification protocols.

Infrastructure heritage

In 2017, routing incidents became as notorious as botnets in 2016. It is known that such incidents can be no less large-scale and dangerous than attacks by a record botnet, leaving almost an entire country without access to popular resources.

According to Qrator Labs experts, in the case of BGP (Border Gateway Protocol), it is necessary to be extremely careful, since the potential damage can be colossal. Since BGP controls the transfer of all traffic from one AS (autonomous system) to another, this is not only about increased delays in accessing resources for users, but, more importantly, about the likelihood of a MiTM attack on encrypted traffic. Such incidents can affect millions of users in different countries.

Vulnerabilities and Intranet

2017 was a real year of hacking. From epidemics encoders to the discoveries of the Vault7 and Shadow Brokers archives, in addition to notable to leaks ones due to human errors, where Uber Equifax they represent the two most high-profile examples.

2017 demonstrated how diverse types of equipment can be vulnerable to different types of cyber attacks. In the future, even more incidents related to outdated software and hardware will be recorded, according to Qrator Labs.

Attacks smartphones using can be carried out both on the basis of infection, malicious applications even if they are installed from official stores, and with the help of vulnerabilities like BlueBorne. Browser extensions and plugins, network devices (which have already suffered enough over the past three years), any equipment at the junctions of providers - everything can be repeatedly tested for resistance to attacks and, probably, ultimately, will not stand.

Cryptomania

The ICO market was a revelation to hackers in 2017. The trend of attack at the most stressful moment for the organization (fundraising, advertising campaigns) persists, and with the growing number of cryptocurrency projects, hacking attacks are combined with DDoS. If the cryptocurrency token issuing market continues to grow, this trend will only intensify, according to Qrator Labs.

ICOs are of particular interest to all market parties. Huge amounts of funds are already involved in this market, and the technical side of the implementation of many projects is frankly weak. They are constantly hacked. Mining pools are attacked in the last seconds of signing each block in order to receive a reward for signing the block with a competing pool. Cloud cryptocurrency wallets are constantly under attack - during 2017 there were major hacks of such services with the loss of all cryptocurrencies by their creators.

About the study

The review was prepared by Qrator Labs specialists with information support from Valarm based on monitoring the situation in the industry, as well as on the basis of statistics collected on customers of companies in 2017.

On the darknet, you can order a DDoS attack for $10 per hour

Security researchers at Armor published^[17] in March 2018 a report on underground markets on the dark web. Experts have studied the prices for the most popular types of hacker goods and services^[18]

According to the report, DDoS-atak can be ordered for only $10 per hour, $200 per day or for $500 - $1 thousand per week. The researchers also found bank botnets on sale (rent costs $750 per month), exploit kits ($1,400 per month), exploits for vulnerabilities WordPress in ($100), (skimmers $1,500) and hacker training programs ($50).

The most common product on the darknet remains bank card data. The price varies by country of origin.

Various credit card information, often obtained using malware for PoS terminals or on the Internet, is cheaper, but the complete data required to create copies of cards will cost two or three times more.

Scammers can also buy access to hacked bank accounts. Account prices vary depending on the amount of money held on them. Attackers use banking Trojans to gain access to accounts, and fraudsters, in turn, buy access, purchase various goods using cards, and then resell them, making a profit.

In addition, fake documents can be found on the darknet. In particular, we are talking about various identity cards, passports, driver's licenses, US greencards, prescription drugs, bank statements, etc. Passports, IDs and driver's licenses are usually the most expensive, with the most valuable being those of citizens from North American countries.

Shadow Web markets and forums also offer many hacked accounts. Access to a hacked social media account costs about $13 on average. Hackers can offer access to accounts on Facebook, Twitter, Instagram, Hulu, Netflix, Spotify, Amazon, Skype, etc.

American provider subjected to the most powerful DDoS attack in history

Arbor Networks discovered the largest DDoS attack on one of the American providers, the traffic of which reached 1.7 terabits per second. It used a mechanism opened at the end of February and used in the previous strongest DDoS attack, which occurred on February 28, Ars Technica reported in March 2018. Experts fear that the detected mechanism will often be used for such powerful attacks in the near future^[19].

During a DDoS attack, attackers direct so many requests from many computers to the victim's servers that the servers stop coping and become inaccessible to users. In addition, their danger lies in the fact that the server may behave abnormally and, for example, give part of the data to attackers.

There are many methods of DDoS attack, including attacks in which an attacker accesses public servers and replaces his address with the victim's address. As a result, these servers send response packets no longer to the attacker, but to the victim. This type of attack can be used in conjunction with amplification - this means that for each request sent, the server sends a larger packet to the victim. Depending on the method, the gain can reach tens or even hundreds of times.

At the end of February, several Internet companies discovered a new, even more powerful version of this mechanism. This time, attackers began to use unprotected Memcached servers used to cache and speed up the download of some data. The main difference was in the gain factor - in some cases it has already reached more than fifty thousand times. For example, the researchers reproduced the attack and were able to achieve a 750-kilobyte response to a 15-byte request. It is worth noting that this method of attack was described by Chinese researchers back in 2017.

First "real" DDoS IPv6 attack recorded

The Neustar DNS network was the victim of the first recorded "real" IPv6 DDoS attack. Sources of "dictionary attack" are about 1.9 thousand IPv6 nodes belonging to more than 650 networks. This was reported in March 2018 by SC Magazine UK^[20].

According to representatives of Neustar, this attack is notable for the fact that attackers use new methods instead of copying existing ones, but using IPv4. IPv6 attacks can cause serious harm, for example, exceed the memory capacity of modern security tools due to the large number of addresses available to hackers.

In total, IPv6 contains more than 7.9×1028 times more addresses than IPv4, which uses 32-bit addresses and allows you to organize about 4.3 billion addresses. Thus, the number of potential attacks also grows significantly. At the same time, many networks that support IPv6 do not support tools to counter hackers.

As experts noted, this year there is a significant increase in the number of IPv4 attacks - it has doubled compared to the same period in 2017.

2017

Qrator Labs: Rating the sustainability of national segments of the Internet

In early July, Qrator Labs, based on the results of a study of national segments of 244 countries, compiled a rating of states in ascending order of the indicator reflecting the dependence of the availability of national Internet segments on failures in the work of the most significant telecom operators.

The sustainability rating of national segments of the Internet was first presented by Qrator Labs in 2016. To calculate the indicator for each country under study, a map was compiled based on Maxmind service data, on which all telecom operators were distributed across national Internet segments. This year, an additional rationing procedure was carried out - not so much the fact of the operator's presence in a particular region as the importance of this presence in a given national segment was assessed.

At the next stage, using the Qrator.Radar project operator relationship model, a calculation was made for each operator of the degree of influence of the failure of its operation on a specific national segment (what percentage of national operators, or autonomous systems, will become unavailable on the global network in the event of a failure of this operator).

Further, operators were selected to form a rating, the failure of which could lead to the loss of global availability of the largest percentage of operators in a given national segment. These operators are listed in the third column of the table below.

Top 15 countries for the sustainability of national segments of the Internet

Place in the ranking	Country	Telecom Operator (Autonomous System Number)	Maximum share of national segment networks losing global availability in case of single carrier failure,%
1	Germany (DE)	Versatel (8881)	2.29696
2	Hong Kong (HK)	Level 3 Communications (3356)	2.65659
3	Switzerland (CH)	Swisscom (3303)	3.57245
4	Canada (CA)	Bell Backbone (577)	3.67367
5	France (FR)	Cogent (174)	3.68254
6	UK (GB)	Cogent (174)	3.76297
7	Belgium (BE)	Telenet (6848)	3.93768
8	Ukraine (UA)	UARNet (3255)	3.95098
9	US (US)	Cogent (174)	3.97103
10	Bangladesh (BD)	Fiber @ Home (58587)	5.29293
11	Romania (RO)	RTD (9050)	5.35451
12	Brazil (BR) - novice	Telefonica (12956)	5.39138
13	Russia (RU)	Rostelecom (12389)	5.73432
14	Ireland (IE)	Cogent (174)	5.87254
15	Czech Republic (CZ)	SuperNetwork (39392)	5.88389

"This

year's results show that trends remain flat, with countries at the top of the table, as in 2016, where the telecoms market is mature and highly diversified. There are a large number of telecom operators in these countries, so a malfunction of even a large provider will affect only a small number of other networks, "commented Alexander Lyamin, CEO of Qrator Labs, on the results of the study

.

In 2017, the company noted another trend - the importance of regional operators from the category of Tier-2 is growing. In some countries, they began to play the role of key ones, displacing Tier-1 market leaders.

"For example, in Germany, the largest telecom operator is Deutsche Telekom, but another company, Versatel, has a more significant impact on the global connectivity of the national segment. This suggests that the market continues to develop and diversify, "Qrator Labs emphasized

.

Kaspersky Lab: Overview of the market and cost of DDoS services

Kaspersky Lab (Kaspersky) published in March 2017 an overview of the DDoS services market, their prices and offered services. The publication especially notes that such resources look like sites of quite legitimate IT companies, with all the sections and functions that one could expect from them, without excluding the "personal accounts"^[21].

The Kaspersky DDoS Intelligence system in the first three months of 2017 recorded attacks on targets located in 72 countries of the world.

Distribution of unique DDoS attack targets by country:

The first place in the number of botnet management servers remains with South Korea, and the United States entered the second. For the first time since April 2015, the Netherlands ousted China from the top three, which dropped to seventh position. Russia remained in fourth place. In addition, Japan, Ukraine and Bulgaria came out of the dozens of countries with the largest number of command servers. Hong Kong, Romania and Germany appeared instead.

The distribution by operating systems this quarter has also changed. Pushing botnets from devices Internet of Things to, Linux Windows bots came to the fore: their share increased from 25% last quarter to 60% in January-March 2017.

During the reporting period, not a single amplified attack was registered, but there was an increase in the number of attacks using encryption. This is in line with last year's forecasts of Kaspersky Lab: complex DDoS attacks are gaining popularity, which are not easy to detect with standard security tools.

In general, the beginning of the year was quite quiet - the largest number of attacks (994) was observed on February 18, and the record for the duration of the attack was only 120 hours. This is significantly less than in the fourth quarter of 2016: then the longest attack lasted 292 hours.

"These web services are fully functional web applications that allow registered customers to... plan a budget for DDoS attacks. Some operators even offer bonus points for each attack carried out using their service. In other words, cybercriminals have their own loyalty and customer service programs, "the publication of the antivirus company

says.

Owners of such services offer to organize attacks on any resources, while maintaining complete anonymity of customers and free testing of the attack for 15 minutes.

DDoS attacks have fallen sharply in recent years: the Internet is replete with botnets used to carry out attacks and to spread malware and spam.

On average, according to Kaspersky Lab estimates, they ask a client for about $25 per hour, despite the fact that the real cost of the attack, according to experts, is much lower.

In their calculations, the authors of the publication on SecureList proceed from the approximate spending of cybercriminals on infrastructure. As an example, prices for using the Amazon EC2 cloud are given.

The price for a virtual dedicated server with a minimum configuration (and for a DDoS attack, the width of the communication channel is more important than the configuration of the workstation) is about $0.0065 per hour. Accordingly, 50 virtual servers for organizing a low-power DDoS attack on an online store will cost cybercriminals $0.325 per hour. Given the additional costs (for example, SIM cards for registering an account and linking a credit card to it), an hour-long DDoS attack using a cloud service will cost criminals $4.

Accordingly, the real cost of a botnet attack of 1,000 workstations costs about $7 per hour. This means that the organizers of DDoS attacks make a profit of about $18 for each hour of attack.

In fact, the cost of a DDoS attack varies quite noticeably, depending on a number of factors. Attacks on state resources will most likely cost more than on online stores, and besides, not all botnet operators will agree to carry out such attacks: such resources are under the constant supervision of law enforcement agencies, and cybercriminals do not really want to "shine" their botnets.

If the attacked resource is protected by a specialized service that filters garbage traffic, the cost is likely to increase many times over. On one of the services, an attack on a regular site is offered at a price of $50-100, however, if there is protection against DDoS, the price immediately rises to $400. Some services even offer domain blocking at the registrar level, but this is the most expensive service - it will cost the client from $1,000 or more.

An important factor is also the composition of the botnet. Creating and supporting a botnet of 1,000 personal computers (and even more than 100 servers) is significantly more expensive than supporting a malicious network consisting of 1,000 video cameras with vulnerable firmware.

Finally, pricing is influenced by an attack scenario (for example, a client may ask to switch from SYN flood to UDP flood from time to time or use several attack options at the same time), and the customer's geographical location. For organizing an attack from a resident of the United States, for example, they will be asked more than from a resident of Russia.

Interestingly, some attack services even publish the total number of their customers, and there may be tens of thousands of them. Cybercriminals advertise their services bluntly. "We bring to your attention services to eliminate sites and servers of competitors using a DDoS attack," reads an entry on the main page of one such resource.

There are those who want to pay for this form of pressure, and they are clearly ready to lay out round amounts for DDoS attacks: in 2016, the longest DDoS attack lasted 292 hours - about 12 days.

For their part, attackers sometimes do not hesitate to simultaneously offer protection services against DDoS attacks, as well as demand money for imperfection or termination of an attack that has already begun.

2016

Kaspersky Lab data

According to Kaspersky Lab, in 2016, DDoS every fourth bank (26%) recorded attacks. For financial institutions as a whole, this figure was 22%. According to the study, the average damage from a DDoS attack for banks was 1,172,000, dollars while for enterprises in other areas it was $952,000.

At the same time, 52% of victims faced inaccessibility or deterioration in the quality of public web services for a long time - from several hours to several days. And in at least 43% of cases, a DDoS attack was used as a disguise in other malicious operations. The target of such attacks is most often the websites of banks - they were affected in half of the recorded cases (49%). However, this is not the only vulnerable place. Almost the same number of respondents (48%) were subjected to DDoS attacks on their Internet banking and online services.

According to Kaspersky Lab, in the third quarter of 2016, web resources in 67 countries of the world suffered from DDoS attacks. The vast majority of them (97%) fell on only three countries: China, the United States and South Korea. At the same time, China "got" the most - 63% of DDoS attacks were aimed at the resources of this particular state. Against the background of the three leaders, the number of attacks recorded in Russia looks unconvincing, but compared to the previous quarter, it has noticeably increased - from 0.8% to 1.1%.

Meanwhile, China is breaking records in other quarterly indicators. Thus, the longest attack in the reporting period lasted 184 hours (7.6 days) and was aimed at the Chinese provider. And the popular Chinese search engine became the record holder for the number of DDoS attacks on the same target - in the third quarter, the resource was attacked 19 times.

In general, Kaspersky Lab experts have noticed an increase in the number of smart attacks that use secure https connections and thus avoid recognition by security systems. Most often, with such DDoS attacks, attackers create relatively small streams of requests to the "heavy" part of websites - for example, to search forms - and send them using https protocols protected by encryption. DDoS attack detection and prevention systems, in turn, are often unable to decrypt traffic on the fly and pass all requests to the web resource server. Thus, the requests of the attackers go unnoticed, and the DDoS attack becomes successful even at low intensity, the company explained.

Another trend is the increase in the share of attacks from Linux botnets - in the third quarter it grew by 8 percentage points and reached 79% by October. This is partly correlated with the growing popularity of the already most common SYN-DDoS method, for which Linux-botnets are the most suitable tool. However, many devices Internet of things work on Linux today, for example, routers that are increasingly seen in the compositions of various botnets. That is why the publication of the source code of the Mirai botnet, which contains a built-in scanner that locates vulnerable IoT devices and includes them in the botnet, attracted special attention of experts.

The likelihood that a company that once fell victim to a DDoS attack will be subjected to it again is very high. This is confirmed by 77% of Russian organizations that have repeatedly experienced this threat during the year, with more than a third (37%) of companies attacked four or more times. These statistics confirm the fact that protective tools against DDoS attacks must be included in the company's security system, and an important criterion for their effectiveness is the ability to ensure the continuity of corporate online services directly during the attack, the company emphasized.

As for the duration of DDoS attacks, in 40% of cases they last no more than an hour, and in 13% - up to several weeks. Most often, the victims of this type of threats in Russia are companies that actively use various web services for their main activities - e-commerce enterprises, financial institutions, government agencies, and the media. Also, high-tech organizations, such as telecommunications and information security companies, often face DDoS attacks.

The reputation of companies is negatively affected not only by the fact of the attack, but also by the fact that they often learn about it from external sources: in 21% of cases - from customers, and in 29% of cases - from a contractor who analyzes the security of the organization's IT infrastructure. According to Kaspersky Lab experts, this is not surprising, because most often cybercriminals attack external resources: client portals (40%), communication services (36%) and sites (52%).

Qrator Labs Data

Dynamics of DDoS attacks in 2015 - 2016

The boom in startups and the subsequent growth in the number of connected devices is a new field of rich opportunities where you can create more than one even larger and more dangerous botnet. In 2016, terabit per second, which was considered unattainable, suddenly appeared.

At the same time, the level of necessary experience and knowledge for organizing DDoS attacks has noticeably dropped. Today, to carry out a successful attack even on large sites and applications, video instructions on YouTube or a little cryptocurrency are enough to pay for services such as a booter service. Therefore, in 2017, the most dangerous person in the field of cybersecurity may be, for example, an ordinary teenager with a couple of bitcoins in his wallet.

Amplification

To increase the power of attacks, attackers amplify attacks. The attacker increases the amount of garbage traffic sent by exploiting vulnerabilities in third-party services, and also masks the addresses of a real botnet. A typical example of an amplification attack is DNS response traffic to the victim's IP address.

Another vector is Wordpress, a ubiquitous and functional blog engine. Among other features in this CMS is the Pingback feature, with which offline blogs exchange information about comments and mentions. A vulnerability in Pingback allows a special XML request to force a vulnerable server to request any web page from the Internet. The malicious traffic received is called Wordpress Pingback DDoS.

An attack on HTTPS is no more difficult than on HTTP: you just need to specify a different protocol. Neutralization will require a channel with a width of 20 Gbps, the ability to process application layer traffic at full connection bandwidth and decrypt all TLS connections in real time - significant technical requirements that not everyone can fulfill. A huge number of vulnerable servers on Wordpress are added to this combination of factors - hundreds of thousands can be used in one attack. Each server has a good connection and performance, and participation in the attack is invisible to ordinary users.

BGP and Route Leaks

The founding fathers of the Internet could hardly have foreseen that it would grow to its current volumes. The network they were building was built on trust. That trust has been lost during periods of booming internet growth. BGP was created when the total number of autonomous systems (ASs) was counted as dozens. Now there are more than 50 thousand of them.

The BGP routing protocol appeared in the late eighties as a kind of sketch on a napkin of three engineers. Unsurprisingly, he answers questions from a bygone era. Its logic is that packages should go on the best channel available. The financial relations of organizations and the policy of huge structures were not in it.

But in the real world, money comes first. Money sends traffic from Russia somewhere to Europe, and then returns back to their homeland - so cheaper than using the channel within the country. The policy does not allow two quarreled providers to exchange traffic directly, it is easier for them to negotiate with a third party.

Another protocol problem is the lack of built-in mechanisms for verifying routing data. From here take the roots of the BGP hijacking vulnerability, route leaks and reserved AS numbers. Not all anomalies are malicious in nature, often technicians do not fully understand the principles of the protocol. "Driver's license" for driving BGP is not given, there are no fines, but there is a large space for destruction.

A typical example of route leaks: the provider uses a list of customer prefixes as the only mechanism for filtering outbound announcements. Regardless of the source of the announcements, client prefixes will always be announced in all available directions. As long as there are announcements directly, this problem remains difficult to detect. At one point, the provider's network degrades, customers try to divert announcements and disable a BGP session with a problematic provider. But the operator continues to announce client prefixes in all directions, thereby creating route leaks and pulling a significant part of client traffic onto its problematic network. Of course, this is how you can organize Man in the Middle attacks, which some use.

To combat leaks in anycast networks, we have developed a number of amendments and submitted them to the Internet Engineering Council (IETF). Initially, we wanted to understand when our prefixes fall into such anomalies, and through whose fault. Since the cause of most leaks was incorrect configuration, we realized that the only way to solve the problem is to eliminate the conditions in which engineer errors can affect other carriers.

The IETF develops voluntary Internet standards and helps distribute them. The IETF is not a legal entity but a community. This method of organization has many advantages: the IETF does not depend on legal issues and the requirements of any country, it cannot be sued, hacked or attacked. But the IETF does not pay salaries, all participation is voluntary. All activity hardly comes to priority higher than "non-profitable." Therefore, the development of new standards is slow.

Anyone can discuss or propose drafts of standards - there are no membership requirements in the IETF. The working group is going on the main process. When agreement is reached on a common topic, discussions and revision of the draft begin with the authors of the proposal. The result goes to the director of the region, the purpose of which is to recheck the document. Then the document is sent to IANA, since all protocol changes are managed by this particular organization.

If our draft with the new BGP extension passes all circles of hell, then the flow of route leaks will run out. Malicious leaks will not go anywhere, but there is only one option to solve this problem - constant monitoring.

Forecast

According to statistics obtained by Wallarm (Valarm) Onsec from the honeypot company, an average of 2016 hours pass between a public exploit and its mass exploitation in 3. In 2013, this period was a week. Attackers are becoming more and more prepared and professional. The acceleration will continue, we expect to reduce this time period to 2 hours in the near future. Again, only proactive monitoring can prevent this threat and insure against monstrous consequences.

Hacking and network scanning have already reached an unprecedented scale. More and more attackers this year will acquire pre-scanned ranges of IP addresses segmented by the technologies and products used - for example, "all Wordpress servers." The number of attacks on new technological stacks will increase: microcontainers, private and public clouds (AWS, Azure, OpenStack).

In the next one or two years, we expect to see a nuclear type of attack on providers and other infrastructure when connected autonomous systems or entire regions are affected. The last few years of sword-shield battles have led to more advanced methods of neutralization. But the industry often forgot about legacy, and technical debt brought attacks to unprecedented simplicity. Starting from this moment, only knowledge-built geo-distributed cloud systems will be able to withstand record attacks.

Qrator Labs: Sustainability of the World's National Internet Segments

On June 7, 2016, Qrator Labs announced the results of a study of the impact of possible failures in the operation of networks of telecom operators on the global availability of national segments of the Internet.

The study was conducted in national segments of 236 countries - all where the Internet operates. The result of the study was a rating of countries in ascending order of the indicator, reflecting the degree of dependence on ^[22] national Internet segments from failures in the work of individual operators.

The calculation of this indicator for each study country is made according to the following method:

• The first stage based on Maxmind data is a map of network prefixes of operators, on which the announced prefixes are distributed across national segments of the Internet.
• at the second stage, using the Qrator.Radar global Internet operation modeling system, for each operator, the degree of influence of its operation failure on a specific national segment was calculated: the number of prefixes of the national segment losing global availability on the Internet was determined .

Operators were selected to form a rating, the failure of which could lead to the loss of global availability of the largest percentage of prefixes of a given national segment. These operators are listed in the second column of the tables below.

The global availability of the national segment of the Internet is influenced by the state of the country's market. The higher the maturity of the market and the degree of its diversification (in particular, the more medium-sized operators have access to cross-border transition), the more stable the operation of the entire national segment. Alexander Lyamin, CEO of Qrator Labs

In half of America, the Internet lay down after a DDoS attack on Dyn's DNS servers

September 21, 2016 Internet users in the United States faced a problem - dozens of demanded resources were unavailable, or worked with errors. These included the social network Twitter, the payment system PayPal, the news site Reddit, the music service Spotify and other^[24][25].

Access issues affected residents of the densely populated East Coast of the United States, home to up to half of the country's population, part of the Pacific coast and part of the United Kingdom.

As it turned out, the cause of the problems was a large-scale DDoS attack on DNS a servers company Dyn that is a domain name provider. The problem affected almost the entire East Coast of the United States.

DNS servers are responsible for communication between the domain name (for example, ya.ru) and the IP address (213.180.204.3, respectively). If the DNS server cannot respond to the user, the browser does not know where to get the information from. Therefore, these servers can be attributed to the key infrastructure of the Internet - especially when it comes to a large service provider used by services with millions^[26] users^[27].

In a DDoS attack, the server is loaded with "garbage" traffic, as a result of which access is limited for ordinary users. In the case of the Dyn provider, Internet of Things devices - cameras, routers, and so on - were used to attack.

Part of the responsibility lies with the manufacturers of the equipment. They do nothing to ensure that users change standard passwords on cameras, routers, printers and other devices. Because of this, it is very easy to access them. As a result, the attacks come from Xerox and Panasonic printers, as well as cameras with routers from lesser-known companies.

Company actions

At 11:10 a.m. UTC (2:10 To Moscow p.m.), Dyn said on its website that its employees had begun fighting the attack. The company warned that users may experience inconvenience associated with delays in DNS queries and zonal distribution. At 1:20 pm universal time, Dyn announced that DNS servers have been fully restored

What resources were not available

During the attack, users lost access to such demanded resources as the web service for hosting IT projects GitHub, the Yelp service search site, the Urban Dictionary of slang, Pinterest photo hosting, Imgur photo sharing service, Weebly website creation service, Playstation Network content download service and others.

US Federal Trade Commission sues D-Link

The Federal Trade Commission (FTC) has filed^[28] lawsuit] against Taiwanese company D-Link for failing to secure its products, leaving them vulnerable to hacker attacks. According to the statement of claim, D-Link did not implement the necessary protection mechanisms in the company's routers and video cameras connected to the Internet, thereby "endangering the safety of thousands of consumers,"^[29].

The reason for filing the lawsuit was the use by cybercriminals of unprotected Internet of Things (IoT) devices to create botnets used to carry out large-scale DDoS attacks. These include the Mirai botnet, which consists of routers, webcams and DVRs with unreliable factory passwords. With the help of this botnet, the most powerful DDoS attacks in history were carried out last year. In addition, Mirai was used to shut down the Internet on the east coast of the United States.

The Mirai botnet itself consisted of Internet-connected devices with a password password password by default and fairly simple vulnerabilities. We believe that this is only the first-born in the entire generation of Internet of Things-based botnets. Even solving the problem of Mirai alone will not help. At first, attackers simply sorted out passwords, now they are looking for vulnerabilities and backdoors, it comes to studying the code of the device's fresh firmware for possible "holes" with their subsequent exploitation for a few hours.

2014

Qrator Labs Data

On March 12, 2015, the results of a cyber threat study became known. ^[30] in 2014 by companies Qrator Labs Wallarm Onsec^[31]

According to Qrator Labs, presented in March 2015, 2014 was the peak year in terms of the number of high-speed DDoS attacks. The average number of DDoS attacks per day has also increased: from 18 to 28. Qrator Labs analysts believe that in 2014 there was a phenomenal increase in the number of attacks at speeds over 100 Gbps. It is predicted that the number of such attacks will decrease in 2015. Experts noted a multiple increase in incidents related to DDoS attacks over the past 5 years, attacks of increased complexity, which suggests the possibility of an increase in the number of attacks in 2015 by at least 20%. The increase in the number of attacks is associated mainly with an aggravation of competition.

In 2014, Qrator Labs, using its own service of the same name, neutralized 9,519 DDoS attacks. The maximum number of attacks per day targeting the company's customers was reduced from 151 to 131. The average number of DDoS attacks per day increased from 18 to 28.

According to Alexander Lyamin, head of Qrator Labs, in 2014 there was an increase in the number of attacks of increased complexity - at a speed of more than 100 Gbps. In 2015, high-speed attacks (more than 100 Gbps) will decline - the peak was passed in 2014.

In a particular case, the conversation is about attacks on the provider's incoming channel in order to: clog it with "parasitic" traffic. Attacks of this type have decreased, but speeds have increased significantly. Small telecom operators and hosting companies fall into the risk zone. The share of attacks with a speed of more than 1 Gbps increased from 2.58% in 2013 to 5.47% in 2014. In 2014, almost from scratch, the share of attacks increased significantly at a speed of more than 10 Gbps (from 0.7% to 2.72%), that is, they were observed approximately every working day. The number of attacks over 100 Gbps has grown 11 times (from 0.1% to 1.32%). Qrator noted that one of the trends contributing to this was the simplification of the technology for organizing DDoS attacks.

DDoS botnet attacks on servers and operating systems remain the most popular among attackers. Alexander Lyamin noted the growth in 2014 of the average and maximum sizes of the observed botnets, which, in his opinion, indicates the return of monster botnets.

There has been a general trend towards a decrease in DNS/NTP Amplification attacks, which previously accounted for more than half of all incidents, but attackers are more actively attacking the network infrastructure of operators.

The total number of attacks registered on companies - customers of Wallarm (Valarm) Onsec (Onsec) in 2014 exceeds 750,000. According to Ivan Novikov, CEO of Wallarm (Valarm) Onsec (Onsec), the gaming industry, CPA advertising networks, e-commerce (stores and auctions), payment systems and banks, and the media fell into the risk zone in 2014-2015. At the same time, if payment systems and banks, Internet retailers and the media have always been the target of attacks, now the activity of cybercriminals in sectors where there was previously no increased attention to information security has noticeably increased.

The most common are botnet attacks on servers and the OS to exhaust server resources. The maximum size of the botnet involved in one attack increased by 50% in 2014: from 281 thousand to 420 thousand cars. The size of the average botnet showed 27% growth (from 1.5 thousand to 1.9 thousand cars).

"In 2014, we observed cases of attacks directly on the network infrastructure of operators, for which they were not ready. There is a hypothesis that attackers have taken control of a large amount of someone else's powerful network equipment - several hundred thousand To the Internet connected to routers and switches around the world, whose owners have not changed the password from the factory default. Now these resources are being used without the knowledge of their owners for large-scale attacks of this kind, "Rossiyskaya [1] Gazeta quotes the head of Qrator Labs, Alexander Lyamin.

Aggressiveness Schedule, 2014

In addition, Qrator.Radar at the end of 2014 recorded an increase in the frequency of volumetric volumetric attacks used as an targeted tool against large targets. Qrator Labs associates the widespread use of this type of DDoS with the fact that attack technologies have become available to low-skilled specialists.

Mass distribution was facilitated by the simplification of the organization's technology, as well as a decrease in the cost of volumetric attacks, including due to the ability to attract low-skilled specialists. Currently, the cost of one such attack has dropped to $10-50 per day per 1 GB of lane. The most common method remains Amplification, which is used to send long error requests in DNS server configurations. If earlier it was necessary to form a botnet to organize a large-scale attack, now the ability to fake the victim's IP address and send a request to a vulnerable DNS server allows attackers to spend much less resources, including time organizing an attack. Apparently, a detailed scheme for implementing these attacks is becoming widely available. In 2013, DNS amplifiers were a popular tool for volumetric attacks. In 2014, cybercriminals were more likely to use NTP and SSDP amplifiers.

"The schedule of such volumetric attacks ceased to be discrete, and turned into a large continuous wave with a beautiful front. We attribute this to the fact that the tools that implement Volumetric attacks, available earlier to individual groups, have entered the massive "hacker market," "commented Lyamin Alexander, head of Qrator Labs.

Wallarm Data

According to a Wallarm study, in 2014, the top favorites in terms of the number of attacks were distributed as follows: databases (attacks in 35% of cases), attacks on clients/users of websites (28%) and various attack vectors with the ability to remotely execute code on the server (19%).

Simple Service Discovery Protocol vulnerability turns millions of access points, webcams and printers into DDoS attack tools

PLXsert specialists reported in October 2014 about massive DDoS attacks that have been going on since July 2014. exploiting a Simple Service Discovery Protocol vulnerability that is used to declare availability to millions of devices, supporting the Universal Plug and Play standard - home routers, access points, cable modems, webcams, printers, etc. The attack is organized by transferring a specially prepared SOAP package to a vulnerable device, as a result, it sends a response packet to a given address^[32].

Since many of the vulnerable devices are consumer, it is unlikely that patches will be installed on them, and in some cases this possibility is not even provided. With this in mind, PLXSert predicts that new tools will be developed to make it easier to organize attacks using vulnerable protocols and create botnets. Such attacks will be difficult to suppress, since packets can come from a mass of different points at the same time.

To prevent the device from being used in such an attack, PLXSert recommends blocking traffic on port 1900 used by vulnerable protocols if UPnP is not needed. Otherwise, only patches will help.

Arbor Networks Data

Arbor Networks presented data on DDoS attacks on the global network in the first half of 2014 in the summer of 2014. The statistics are disappointing: both the number and intensity of attacks continue to grow steadily.

Thus, the number of DDoS attacks that exceeded 20 Gb/s at their peak only in the first six months of this year exceeded their total number for the entire 2013. And more than a hundred attacks of the first half of 2014 exceeded the figure of 100 GB/s.

The most powerful attack noted by Arbor Networks reached 154.69 Gb/s at the peak of traffic and was directed against the target in Spain. She used the principle of NTP request reflection. This is a relatively new attack technique based on the use of the NTP protocol, which serves to synchronize the clock on computers. The NTP protocol is distinguished by the fact that it issues expanded responses to fairly short requests. Accordingly, by spoofing the request and specifying the victim's address as the sender, it is possible to generate very high traffic to the specified IP address. Such attacks were very popular in the first half of the year, although their largest number was still in the first quarter of 2014. The increase in the duration of DDos attacks during this year is also noteworthy. If in the first quarter the average attack with traffic over 10 Gb/s lasted about 54 minutes, then in the second - already 98 minutes.

Alexey Platonov, General Director of the Internet Technical Center, noted: "DDoS attacks have become the main" gross "weapon in corporate Internet wars, such a cudgel of information warfare. Large companies began to take measures to reduce the damage from DDoS, but they are designed only for a certain attack power. Accordingly, attackers increase power to break through the defense - there is a classic competition of armor and projectile. "

2013

Prolexic: The average power of DDoS attacks has grown eightfold this year

According to experts from the company, Prolexic which organizes protection against distributed attacks aimed at denial of service, in the first quarter of 2013, the average power DDoS rate was 48.25 Gbps. This is eight times more than in the last quarter of last year.

The power of the attack on the anti-spam organization Spamhaus, estimated at 300 Gbps, according to Prolexic, is greatly exaggerated, but in March Prolexic had to repel the attack at 130 Gbps. Approximately 25% of attacks on Prolexic customer sites in the first quarter did not exceed 1 Gbps in power. However, 11% of attacks were carried out with a power of over 60 Gbps. The organization and technical equipment of the attackers is growing, experts say. Not only the total amount of data that during DDoS attacks overload the Internet access channel, but also the frequency of sending packets has increased, which creates problems not only for the direct victim of the attack, but also for providers, backbone operators and companies engaged in repelling attacks.

The number of attacks in the first quarter increased by 1.75% compared to the previous quarter and by 21.75% compared to the first quarter of 2012. At the same time, the share of attacks on the infrastructure of providers and telecom operators increased.

Arbor Networks Data

According to a special study by Arbor Networks, the nature of threats associated with distributed attacks is changing around the world. According to a survey conducted in 2013, about 70% of respondents using data center services reported that they were faced with DDoS attacks (in 2012 there were 50% of them). At the same time, a large number of attacks with a capacity of over 100 Gbps were registered. These are very expensive "events" for an ordinary attacker, and they are usually organized by "customers" who actively criminalize the hacker community, increasingly for political purposes. A significant part of the reported incidents was aimed at the failure of applications - such attacks are now observed regularly. The number of attacks on SSL connections also increased by 17%. About a third of respondents faced attacks on DNS infrastructure.

Massive attacks in 2013 were subjected to the resources of Russian companies. Suffice it to recall a series of DDoS attacks on the websites of the five largest Russian banks: from October 1 to October 7, 2013, Alfa-Bank",", "Gazprombank and were attacked VTB Sberbank. Central Bank of Russia However, since the Ukrainian crisis has entered an acute phase, the number of DDoS attacks on the resources of Russian organizations has grown significantly, the conference participants noted.

Hardware and software complexes for protection against such attacks are offered by several companies: Arbor Networks, Radware, Check Point, as well as the Russian MFI Software. In addition, Kaspersky Lab (Kaspersky), BIFIT, Group-IB and Qrator.Radar provide customers with cloud-based DDoS protection services.

2012

Ukraine: DDoS attack - as a method of competition

About half of the DDoS attacks committed in Ukraine in the first half of 2012 were on the websites of business representatives and marketplaces. In general, experts recorded 111 attacks in the Ukrainian segment of the Internet. The longest DDoS attack in the Ukrainian segment of the Internet lasted more than 13 days.

Globally, the share of Ukraine as a source of DDoS attacks decreased to 2.8% compared to 12% in the second half of 2011.

Most often, competitors are customers of DDoS attacks, according to Kaspersky Lab. Cases opened by law enforcement agencies on the fact of DDoS attacks very rarely reach the court, admits a source in the cybercrime department of the Ministry of Internal Affairs. In the state register of court decisions, only one decision was found in the case of the DDoS attack: for blocking the operation of the OSMP and CyberPlat payment systems in 2009, an attacker from the White Church was sentenced to three years in prison with a probationary period of two years.

According to market participants, losses of large online stores from DDoS attacks can be up to $300 thousand per day.

The bulk of hackers providing such services are young single non-professionals who infect computers using independently developed or purchased programs, says Sergey Polishchuk, administrator of the Ukrainian Traffic Exchange Network (UA-IX). However, international hacker groups operating networks around the world are also operating in Ukraine. So, in July, employees of the Russian company Group-IB blocked six servers of the Grum botnet, considered the third largest in the world, located in Ukraine.

You can "put" the site for a day for $50-1000. The United States, depending on its traffic and the level of server protection. A botnet program can be bought for $150. UNITED STATES. Specialists accept payment through most electronic payment systems. Group-IB estimates the income of hackers in the CIS and Baltic countries in 2011 at $4.5 billion. USA

The Netherlands proposed to legalize DDoS attacks

The Dutch opposition social-liberal party Democrats 66 came out in the summer of 2012 with a discouraging initiative, proposing to legalize DDoS attacks and other forms of disagreement on the Internet and give them the status of protests, securing the right to such "speeches" in the Constitution, albeit with restrictions. This was reported by RBC with reference to local media.

However, the procedure and implementation of online protest forms should be clearly spelled out in the legislation, Democrats 66 notes. One way or another, according to one of the party members, Kis Verhoeven, such attacks are a kind of demonstration, and he is surprised by the fact that the fundamental constitutional rights of citizens have not yet been spread on the Internet.

"Democrats 66" are already planning to complete work on the bill in the near future, after which it will be submitted to parliament. Ten party members sit in the lower house of the country's parliament, five in the upper house. The position of other parliamentarians is not known.

Notes