10 Escalating DDoS And Web Hacking Trends10:00 AM EST Thu. Oct. 17, 2013
Threat reports from application hosting firm Akamai and DDoS mitigation appliance maker Arbor Networks highlighted the increasing sophistication of distributed denial-of-service attacks and commonly targeted Internet protocols in the second quarter of 2013. Arbor Networks said DDoS attacks are getting larger, while Akamai said its having trouble filtering out legitimate and malicious traffic. Meanwhile, attack traffic continuously targets both open and secure websites and Web applications.
Here are 10 trending hacking techniques identified in the reports.
Arbor Networks said the DDoS attacks that its appliances are addressing have increased in size. Attacks over 20 Gbps increased 350 percent, the firm said. In addition the duration of attacks has decreased by 85 percent, lasting less than 1 hour, the firm said. "Mitigating the attack is no longer an option and businesses find themselves in disaster recovery mode," Arbor said.
Arbor Networks said it did not witness a DDoS attack that exceeded the 300-Gbps attack against antispam blacklisting service Spamhaus earlier this year. Dutch officials arrested a man believed to be connected with the Spamhaus attack campaign. The strongest attack Arbor registered was in August, registering at 191 Gbps in the second quarter.
DDoS attack traffic is becoming increasingly difficult to filter out because automated attack toolkits are becoming more sophisticated. Popular toolkit Dirt Jumper has components that can sense detection and filtering systems. In addition, some security firms have reported that attackers are using Web servers to create more powerful attacks, though the size of an attack doesn't necessarily signify the damage it produces.
Akamai said it saw a decline in activity from a Middle Eastern hacktivist group that targeted U.S. banking websites earlier this year. The group, called Izz ad-Din al-Qassam Cyber Fighters, is believed to be loosely based in Iran and has targeted dozens of banks with large-scale DDoS attacks. Hundreds of attacks have been traced to the group. Akamai said law enforcement action could have contributed to the decline, but the main source of the decline is not confirmed. Authorities also apparently arrested the alleged cybercriminal behind the popular BlackHole Exploit Kit. So far, there is no conclusive evidence that the automated attack toolkit's use has trended down, Dell SecureWorks researchers told CRN. The kit, which is updated about once a day, hasn't received updates since the arrest announcement.
There were 768 DDoS attacks reported in 2012. In the first half of 2013, Akamai said it received 516 attack reports. While the U.S. holds nearly two-thirds of all attacks, Akamai said the second quarter brought an increase in DDoS attacks targeting businesses in Europe, the Middle East, Africa and the Asia Pacific region. Increased attacks in Asia were primarily driven by a continuing series of attacks on a small number of companies within the region, Akamai said.
Attack traffic originates in Indonesia and China more than any other country or region, Akamai said. Attacks from Asia accounted for about 79 percent of attack traffic. Europe accounted for just over 10 percent of malicious traffic, while North and South America also accounted for just over 10 percent of attack traffic combined.
Akamai's report found that financial services firms, including banks and credit unions, were met with the most DDoS attacks. Cybercriminals also targeted business services firms and e-commerce vendors. Akamai noted that pharmaceutical firms and healthcare organizations were frequently targeted in the second quarter of 2013.
Akamai said it saw an increase in attacks targeting websites, Web applications and other Web clients. Much of the traffic is driven through automated attack toolkits. It is a way into corporate networks because Port 80 and Port 443 open and secure Web traffic are the most commonly allowed protocols through network firewalls, say security experts, who primarily advocate better secure coding practices to combat the issue. SSL traffic is also targeted with easily obtainable open source tools and hacking techniques.
Attackers also frequently target Microsoft's Server Message Block (SMB) file-sharing protocol, Akamai said. Cybercriminals take advantage of outdated vulnerabilities and poor patching processes at organizations. The protocol has been targeted for years, security experts say, and an attacker has used it to quickly spread the notorious Nimda and Sasser worms to new hosts.
Attackers frequently probe networks for Internet-facing databases and Microsoft SQL Server; on Port 1433 is a longtime favorite, having been targeted since the early 2000s. Akamai said it followed Microsoft SMB as a frequent target, with attackers also looking for unpatched vulnerabilities or attempting to cripple the database through a denial-of-service attack by overloading it with malicious requests.