Subscribe
About

Crypto-collapse and rise of smart DDOS attacks

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 08 Aug 2022

During Q2 of this year, distributed denial of service (DDOS) attacks reached new heights as both the number of smart attacks, and the average duration of these attacks, increased sharply.

Compared to the same period last year, the average duration of a DDOS attack rose 100 times, reaching 3 000 minutes.

This was revealed by Kaspersky in its DDOS attacks in Q2 2022 report.

Compared to figures from Q2 2021, Kaspersky’s solutions defended its users against approximately 2.5 times more DDOS attacks. At the same time, in contrast to the beginning of the year with its dramatic surge in attacks due to hacktivist activity, absolute numbers decreased in Q2 2022.

However, Kaspersky says this does not mean that the DDOS market has cooled down, but rather that attacks have changed in quality, becoming longer and more complicated. 

The average duration of an attack in Q2 2022 was around two days, which is 100 times longer than in Q2 2021, when an attack lasted for only 30 minutes on average.

Some of the attacks in the past quarter lasted for days or even weeks. A record was set by an attack with a duration of 41 441 minutes, which is just shy of 29 days.

Alexander Gutnikov, a security expert at Kaspersky, says it is extremely expensive to continue these attacks for such a long duration, particularly if it is ineffective due to being filtered by protection solutions.

“When bots are constantly active, the risk of botnet wear-off, node failure or control centre detection increases. The extreme duration of these attacks and the growth in the number of smart and targeted DDoS attacks makes us wonder about the capabilities, professional affiliation and funding sources of the organisers,” he adds.

Smart attacks

The company also said the share of smart attacks almost broke the four-year record, accounting for nearly 50% of the total. 

Gutnikov says DDoS attacks are becoming increasingly accessible to a wider audience. “In many cases, they no longer require special technical knowledge and skills. In order to separate professionals from amateurs, we use the term 'smart attack'. To organise this kind of attack, a criminal should be equipped with technical knowledge and understand how networks and data exchange protocols work.”

He says in general, layer three (L3) and layer four (L4) attacks can be described as regular ones, while layer seven attacks (L7) are already smart. For an accurate 'diagnosis', an analysis of each specific case is required.

“For example, a DNS Amplification flood, or L4 level, is now very easy to organise, although it caught everybody off guard back in 2013. Back then it could be classified as a smart attack, but today it’s available to a wide range of attackers without special skills and ranked as an ordinary one.”

Another example is a fragmentation attack of the L3 level. If targeted skillfully (for example, to a vulnerable router), it can cause a lot of damage even with a small rate. “In this case, it would be correct to classify it as a smart attack, because it requires the bad actor to understand the vulnerability and, as a result, choose a relatively simple but effective tool,” Gutnikov says.

Оn the other hand, application level attacks are not always smart, he explains. “An HTTP request attack without a host header will formally be considered an L7 attack, but this is only possible if the botnet is configured incorrectly. Therefore, the attacker does not understand the basic principles of HTTP protocol, and this attack should be classified as a regular one.”

A link to crypto-currency

In terms of the number of DDOS attacks, the second quarter was quieter than the first. This is a common phenomenon, he explains, as a decline in DDOS activity normally occurs as the European summer nears.

However, the number of DDOS attacks within the quarter didn’t match this usual pattern. After a slowdown at the end of Q1, botnet activity steadily grew throughout Q2, resulting in more activity in June than in April. This, he says, is consistent with the decline of crypto-currency, which usually stimulates the DDOS market.

Gutnikov says the collapse of crypto-currencies began with the plummet of Terra (Luna) and has only been gaining momentum since. Various factors indicate that the tendency may continue – for example, crypto-miners are selling off farms at low prices to gamers. This can lead to a surge in global DDOS activity.

Kaspersky’s experts recommend maintaining Web resource operations by assigning specialists who understand how to respond to DDoS attacks; validating third-party agreements and contact information so they can be quickly accessed in case of an attack; employing network and application monitoring tools to identify traffic trends and tendencies; and having a restrictive plan B in place to ensure the organisation is in a position to rapidly restore business-critical services in the face of a DDOS attack.

Share