Dramatic Increase of DDoS Attack Sizes Attributed to IoT Devices

Posted By

Bleeping Computer


September 12, 2018

A new report released today shows that distributed denial of service (DDoS) attacks have increased dramatically in the first two quarters of 2018 compared to 2017. The increase in attacks is being attributed to large scale botnets being created by attackers using insecure IoT devices.

According to a report released by DDoS mitigation company NexusGuard, denial-of-service attacks have increased by 29% since Q2 2017, with the average attack size increased by 543% to 26.37 Gbps.

NexusGuard's report shows that the average size of attacks in Q2 2017 was 4.10 Gbps and the maximum was 63.70 Gbps. For Q2 2018, this average size has increased over 500% to 26 Gbps and the maximum size has increased to 359 Gbps.

Increase in DDoS attacks attributed to IoT Botnets
The increase in attacks and their sizes is being attributed to attackers amassing giant botnets using insecure IoT devices. Attackers are using vulnerabilities in these devices to rapidly build large botnets that can then be used to perform targeted attacks that are increasingly difficult to stop.

For example, at one point the Mirai Satori botnet was seen from over 280,000 IP addresses over a 12 hour period and the newer Anarchy botnet was able to amass over 18,000 routers in a single day. These botnets were created by attackers exploiting vulnerabilities in routers such as ones made by Huawei & D-Link.

"In addition, severe botnet epidemics like last year’s Satori continued to threaten cyberspace by exploiting zero-day vulnerabilities," stated the reported by NexusGuard. "Since its high-profile attack on Huawei home routers in December 2017, Satori has wreaked havoc over the past few months on various IoT devices, including: GPON-capable routers manufactured by South Korea’s Dasan, D-Link’s DIR-620 routers, and XiongMau uc-httpd 1.0.0 IoT devices. Additionally, the quarter saw the emergence of the Anarchy botnet, which exploited zero-day vulnerabilities in a similar fashion as Satori."

Key Stats
The report provides some interesting statistics regarding the attacks seen in Q2 2018.

- The top 3 DDoS attack vectors seen by NexusGuard are UDP (31.56%), TCP Syn (18.50%), and ICMP (9.32%). The combined total of the three largest attack types is 59.38%.
- Single vector attacks comprised 52.03% of the total attacks, while 47.97% were multi-vector attacks.
- The top 5 multi-vector attacks were NTP amplifications + UDP (17.06%), ICMP + UDP (9.41%), ICMP + UDP + NTP Amplification (6.47%), CLDAP Reflection + UDP Fragmentation (5.29%), and TCP SYN + UDP (4.71%).
- While 55.28% of the attacks lasted less than 90 minutes, the average duration was 318.10 minutes long. The higher average is due to some attacks lasting for days, with the longest one being 6 days, 5 hours, and 22 minutes.
64.13% of attacks were smaller than 10 Gbps, but the average size was 26.37 Gbps. NexusGuard states that a surge in attack sizes greater than 10 Gbps in Q2 2018 accounts for the larger average size.
- The United States was the largest source of attacks at 20%, followed by China, France, Germany, and Russia.