November 11, 2015

Astronomical Growth & Bizarre DDoS Ransom Refund

This week as always, DDoS Digest provides nutshell summaries of the top stories in the world of distributed denial of service attacks:


  • DDoS Grows More than 50% in Third Quarter
  • Armada Partially Refunds Ransom
  • 320-Hour Assault Unusually Prolonged
  • Internet of Things & IPv6 Increase Vulnerability


DDoS Grows More than 50% in Third Quarter

It’s no exaggeration to say that distributed denial of service attacks are growing at a breathtaking pace.


In fact, one DDoS mitigation service recorded a 53% higher prevalence of attacks during the third quarter than in the second quarter of 2015 – higher than any quarter over the last two years, according to Roy Urrico of Credit Union Times.


The business sector that was the “top target” of DDoS was cloud and IT services, suffering 29% of attacks to win that ignoble title for the fourth straight quarter. The other top-three industries were entertainment and media (26% of attacks) and finance (15% of attacks).




The power of individual attacks is on the rise as well, notes Urrico. “The average attack size increased to 7.03 Gbps, 27% higher than Q2 2015,” he says. “59% of attacks peaked at more than 1 Gbps; and, 20% of attacks were greater than 10 Gbps.”




The moral here is that cloud DDoS protection is critical for most organizations since on-premise attack-prevention tools typically can’t handle those one out of five (20%) attacks that are huge, while some can’t mitigate the three out of five (59%) strikes that are large – a major weakness.

Armada Partially Refunds DDoS Ransom

DDoS attackers sometimes act erratically.


In early November (the 6th through 9th), four private email services were brought down by the huge number of bogus botnet requests that amount to a DDoS attack. Each of the services fell prey to a group named Armada Collective, as reported in Forbes. Behavior from the DDoS gang was particularly strange, though – including the repayment of a portion of the ransom to the victims.


Secure Switzerland-based email startup ProtonMail paid a ransom of approximately $6000 in Bitcoin (15 of them), after which it continued to get pummeled – although the company believes the additional efforts came from a different party.


Three other email providers – Hushmail, Runbox, and Zoho – also experienced distributed denial of service events, although none of those other companies paid the ransom.


All the firms believe the gang Armada Collective was behind the attack. The attackers pointed to the same Bitcoin address for ransom payment in each case.


The behavior of Armada has been unusual, to say the least. For one thing, the Bitcoin account to which ProtonMail paid the DDoS ransom sent back some of it, like a partial refund. Within the chunks of Bitcoin, Armada wrote messages claiming it was not part of the continuing assault against ProtonMail: “Somebody with great power, who wants ProtonMail dead, jumped in after our initial attack!” said the note in the blockchain. “We have no such power to crash data center and no reason to attack ProtonMail any more!”


320-Hour Assault Unusually Prolonged

There is always a silver lining.


Various security providers recently released analyses of the distributed denial of service landscape during the third quarter. The findings, in a word, were brutal. However, the silver lining is that only one in ten of these events lasted longer than 24 hours.


The latest attack recorded during the third quarter of 2015 went for an eye-popping 320 hours – or 13 1/3 days. Although the vast majority of these attacks are over within a single day, the percentage of attacks that last for more than 150 hours (6 ¼ days) has risen substantially. Repeat attacks are also commonplace, with one company receiving 22 distributed denial hits from a Dutch server.


While analysts revealed that targets in 79 different nations were struck during the third quarter, certain countries were taking much more of the brunt of DDoS. “91.6 percent of the victims’ resources are located in only 10 countries worldwide,” explains Danielle Correa in SC Magazine UK. “China, the US and South Korea held top positions as the countries most frequently hit by DDoS attacks.”

Internet of Things & IPv6 Increase Vulnerability

Holiday cheer for the villains?


It seems that DDoS attackers, who have led to insanely frustrating and expensive business stoppages in virtually every industry, have been given a gift in the Internet of Things and IPv6 (Internet Protocol version 6).


The number of machines connected to the Internet has grown in leaps and bounds. Absurdly, 1 billion new Internet of Things devices will be manufactured in 2015. To meet growing demand for IP addresses, IPv6 is now here. It carries the potential for 2^128 IP addresses rather than the 2^32 that were possible within IPv4.


This new version of the protocol is necessary for the Internet of Things to come to fruition. However, it isn’t getting enough attention, argues networking veteran Rene Paap in InformationWeek. “[B]ecause IPv6 occupies such a relatively small space, Internet security implementations that take it into full consideration are also lagging,” he says. “This leaves a lot of networks vulnerable to distributed denial of service (DDoS) attacks.”

End-to-End DDoS Protection

Are you in need of DDoS protection? Nexusguard partners with you to pinpoint vulnerabilities and implement solutions that protect your infrastructure and mission-critical applications. The three pillars of our end-to-end approach are application protection, origin protection, and DNS protection. Learn more.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.