The number of distributed denial of service attacks almost doubled between Q1 and Q3 2017, according to a report by Corero Network Security (CNS). The company said attacks against its customers reached an average of 237 per month, or an average of 8 a day. 

The purpose of a DDoS attack is to make a service unavailable by overwhelming it with traffic from different directions, using corrupted devices connected to the Internet as weapons of sorts. Collections of such devices are known as botnets. 

Denial of service can be achieved by flooding servers with more requests than they can handle, or by sending meaningless data to use up the target’s available bandwidth. Such attacks can serve as an end in itself or as a distraction during attempts to breach systems and extract data. 

Of biblical proportions 

John Martin, The deluge
John Martin, The deluge – John Martin/Wikimedia Commons

According to the study - based on attacks targetting CNS customers around the world - the dramatic increase of almost 35 percent a quarter for the past year is down to proliferation of unsecured, poorly-patched IoT devices alongside rising numbers of DDoS-for-hire services.

The nature of the attacks has changed, too, with frequent use of multiple attack vectors (e.g. SYN, UDP, Domain Name System (DNS) query and GET floods), either one at a time or in parallel - something that requires a higher level of sophistication.

That said, according to CNS, the percentage of multi-vector attacks had actually decreased from 20 to 15 percent between the second and third quarters of this year, whereas the share of service flood attacks had increased from 39 to 41 percent. 

The study found that DDoS attacks were rarely massive in scale and length: in both Q2 and Q3 of the year, 96 percent of DDoS attacks were less than 5Gbps in volume, and in Q3, 71 percent lasted less than ten seconds.

Between Q1 and Q3, attacks lasting between 21 and 30 seonds dropped by half. 

The study concluded by warning that ransom-driven DoS attacks, DDoS as a distraction to exfiltrate data, and increasing numbers of poorly secured IoT botnets should be at the forefront of any IT professional’s mind. 

”The increase in recorded DDoS activity is hardly surprising, especially to those within the industry as it is a known trade fact that the security within IoT devices is an illusion. Hackers and criminals alike have caught onto this fact,” commented Cesare Garlati, chief security strategist at the prpl Foundation.

“The Mirai-based DDoS attack was the perfect opportunity to target this issue and call out developers and manufacturers to take an open approach to security. Regulators should help by enforcing ISPs to temporarily block IP addresses known from being part of active botnets/DDoS, which would prevent attackers from further exploiting already infiltrated devices. By removing built-in back doors and stopping the practice of shipping devices with either hard coded or difficult to change default user names and passwords developers and manufacturers could ease the problem significantly as well.”

DDoS attacks are damaging - last year, an hour-long outage caused by DDoS cost Amazon close to $5m - and can affect anyone, using any number of connected devices: from the university campus that was attacked by its own IoT vending machines, to the Finnish town where heating systems were brought down, to the Web hosting firm DreamHost, which became a target for DDoS attacks after serving the neo-Nazi site, Daily Stormer.

DDoS attacks are also ever-changing: Cloudflare learnt this the hard way when, in the context of a series of attacks on security bloggers and DNS companies by the Mirai botnet, it suffered over a week of attacks of up to 480Gbps.