Pierluigi Paganini April 16, 2012

Last year we have observer an impressive grow of distributed denial-of-service (DDoS) attacks mainly related to operation arranged by group of hacktivists such as Anonymous.
During a DDoS attacks multitude of compromised systems attack a single target causing denial of service for users of the targeted system. I desire to analyze with you the interesting results reported by the Prolexic Attack Report related to the first quarter of 2012 (registration is required).
The most disconcerting data that emerges from this study is related to the number of attacks against the the financial sector, it’s tripled during the first quarter of this year. The document reported a 3,000 per cent quarter-on-quarter increase in malicious packet traffic targeted at the financial services sector, compared with the forth quarter of 2011. During the first quarter has been logged a significant increase in DDoS attacks against financial services organizations, considerable are the increasing among attacks in both bandwidth and packet per second rates over the quarter.

The Prolexic company has reported an amount of 19.1TB of data and 14 billion packets of malicious traffic against financial services sector during Q4 2011, what is worrying is that same traffic is sensible increased during Q1 2012, with 65TB of data and 1.1 trillion packets that were identified and mitigated. The figures are amazing, the traffic is 80 times superior to the past quarter.

While the number of attacks has changed substantially compared to previous quarters, the statistics remain basically unchanged on the type of DDoS attack observed.  From the next graphics can be derived that during Q1 2012, attackers have used more infrastructure layer attacks (Layer 3 – the three most common within this attack classification were
SYN floods, ICMP floods, and UDP floods) than application layer attacks (Layer 7 – GET Floods and POST Floods).  According to the figures provided by Prolexic, 73.4% were infrastructure attacks and 26.6% were application layer attacks.

What is changed respect last quarter?

Starting on the assumption that the last quarted of the year is a good period for any kind of attacks due to the holiday season, in Q1 2012 the trend was unchanged. Closely analyzing the individual attacks we have observed that respect the previous quarter the average attack duration continued to decrease, dropping from 34 hours in Q4 to 28.5 hours of Q1 2012 quarter. If the duration decrease the average attack bandwidth increased to 6.1 Gbps, up from 5.2 Gbps in the previous quarter, this means that the power of this attacks is increasing being able to flood more data packets in a minor time.

In the following graphics are reported the ten top countries originating DDoS attacks, as we can observe there aren’t surprise in the ranking proposed, China, US, and Russian Federation were the top three origins of DDoS attack campaigns according to their active participation in the cyber space and their aggressive cyber strategies and also to the traditional geographical locations for botnet host origins. Don’t forget that a meaningful contribute is made by cybercrime activities and also by operation made by group of hacktivists.

A very interesting deepening could be to discriminate the motivations of attack (government, hacktivism and cybercrime) to better understand the cyber threat. Countries like Ukraine for example historically suffer cybercrime proliferations meanwhile N.Korea attacks have without doubts governmental and political motivations.

Prolexic has reported: “more than 10 of the worlds largest banks due to market capitalization,” and “an almost threefold increase in the number of attacks against its financial services”.

What do we expect in the coming months?

In my opinion the trend continuing into 2012 and we will see an increase of attacks related to cybercrime and also hacktivism. According the Verizon report on cybercrime hacktivism is one of the most dangerous phenomenon, and DDoS attacks are their typical attack mode, for this reason we will observe an impressive grow also supported by the worldwide spread of botnets.

Regarding the attacked platforms we are observing a growing interest in the Mac world, it is expected a growth of OS X botnets able to perform DDoS attacks.

Other sensible contributions to the increment of this type of attacks are provided by the usage of mobile phones and devices as launch platform and also to imminent diffusion of IPV6 protocol.

In the first case we are facing with a still vulnerable world, mobile today has the same computing capability of desktop environments but implemented protections are really poor such as the awareness in the threat, this combination of factors is dangerous. The financial sector is also one of the sector that more pushes on the introduction of mobile for the supply of its services.
Regarding the second point
The switchover from the existing address protocol, IPv4, to IPv6 will give to the hackers a great opportunity. With the introduction of the protocol a huge quantity of new internet addresses is available and those addresses could be used as source for DDoS attack. Attacks based on IPV6 will benefit from switchover due the increased difficulty of identifying and banning the addresses involved in the attacks for which an offender has an availability significantly amplified. Consider also the context in which we operate, migration between protocols is an event to be taken into account and for which companies and governments must be prepared.

Finally DDoS attacks are largely used in warfare operations against enemy governments. Group of hackers are also engaged to attacks sensible targets with the intent make unusable services provided by agencies and institutions.

It is happened earlier this year, when Israel has been victim of a true escalation in cyberwar, not identified attackers have in fact pulled down two principal national web sites, the Tel Aviv Stock Exchange and El Al, the national airline. Again financial istitution under attacks.

DDoS attacks are even more dangerous when they are used in conjunction with other types of offense. DDoS attacks are used as a diversionary strategy to distract opposing defenses from the real intent of the attackers. Precisely this strategy was occasionally adopted by organized criminals using botnets to paralyzed target defense systems and then proceed undisturbed in the development of fraud.

The message is “do not lower our guard, is just the beginning!”

Pierluigi Paganini