Nexusguard Research Shows DNS Amplification Attacks Grew Nearly 4,800% Year-over-Year; Highlighted by Sharp Increase in TCP SYN Flood

DNS amplification attacks continue to increase in number, growing 4,788% over Q3 2018, according to Nexusguard’s Q3 2019 Threat Report. DNSSEC (Domain Name System Security Extensions) remains the main driver of growth of DNS amplification attacks in the quarter, yet Nexusguard analysts have detected a sharp and concerning rise in TCP SYN Flood attacks. TCP SYN Flood is not a new method, but findings indicate that techniques have grown in sophistication and have emerged as the third most used attack vector, behind DNS amplification and HTTP flood attacks.

 

Cyberattackers have long favored DDoS attacks that amplify damage beyond the resources required, but suitable reflectors or amplifiers are not as widely available for DNS amplification and memcached reflection attacks. In contrast, any server with an open TCP port is an ideal attack vector, and such reflectors are widely available and easy to access to cause SYN Flood reflection attacks.

 

Consequently, SYN Flood reflection not only hits targeted victims, but also can impact innocent users, including individuals, businesses, and other organizations. These innocent victims end up having to process large volumes of spoofed requests and what appear to be legitimate replies from the attack target. As a result, bystanders can incur hefty fees for bandwidth consumed by junk traffic, or even suffer from secondary outages.

“Our research findings revealed that even plain-vanilla network attacks could be turned into complex, stealthy attacks leveraging advanced techniques, from the bit-and-piece attacks, also known as carpet bombing, we identified last year, to the emergence of Distributed Reflective DoS (DRDoS) attacks in the third quarter. Telcos and enterprises must take note while these tactics don’t cause notable strain on network bandwidth, which may go undetected, but that they are powerful enough to impact their service. Advanced mitigation techniques are required to address these threats,” said Juniman Kasman, chief technology officer for Nexusguard. 


 

Report findings also showed that 44% of Q3 attack traffic came from botnet-hijacked Windows OS computers and servers. The second largest source of traffic came from iOS-equipped mobile devices. The total number of attacks has mirrored patterns observed in 2019, with Q1 seeing the highest number attacks and numbers dropping over Q2 and Q3. While attack volume has decreased since Q2 2019, levels grew more than 85% compared to the same quarter last year. More than half of all global attacks originated in China, Turkey or the United States.

 

Nexusguard’s quarterly DDoS threat research gathers attack data from botnet scanning, honeypots, CSPs and traffic moving between attackers and their targets to help companies identify vulnerabilities and stay informed about global cyber security trends. Read the full "Q3 2019 Threat Report" for more details.