Nexusguard DDoS research reveals that switching to IoT botnets took enterprises offline

Distributed denial of service (DDoS) attacks fell more than 40 percent to 97,700 attacks in the second quarter of the year, according to research released Tuesday by Nexusguard, a DDoS mitigation company, who analyzes a network of vulnerable devices for new cyberthreats across national and organizational boundaries.

Its Q3 2016 Threat Report highlighted that reflection-based DDoS attacks decreased, while botnets picked up more headlines. The quarter did, however, see a few notable DDoS attacks that made international headlines: one targeting Brian Krebs, a journalist covering the cybercrime beat, and another hitting OVH, an internet hosting provider. Both attacks utilized botnets, which isn’t rare, although the speeds with which they were launched were unprecedented for botnets.

The botnet (Mirai) consisted of systems that were on-boarded via telnet password cracking in a process that the coder described as a real-time load.

The company scans attack data for trends in vectors, duration, sources and other characteristics to inform organizations across industries of the latest methods. Nexusguard’s quarterly reports arm security professionals with the latest internet security information to help them anticipate threats to their networks.

Nexusguard researchers attribute the reflection attack dip and these massive attacks to hackers favoring Mirai-style botnets of hijacked connected devices, demonstrating the power the internet of things (IoT) has to threaten major organizations. With increasing pressure on hosting and internet service providers to sustain fierce attacks against customers, Nexusguard analysts advise organizations to ensure they use signature-based detection to identify and thwart botnets.

Due to the large attack on OVH in the third quarter, France rose to the list of top three countries targeted by DDoS attacks. While DDoS attacks fell in average frequency during Q3, Nexusguard researchers predict the attention from recent botnet attacks will cause companies to strengthen their cybersecurity and rethink their service provider contracts in the fourth quarter to deliver support and ensure business continuity despite supersized attacks.

“Few service providers can sustain the level of malicious traffic we saw in Q3 from IoT botnets, so these DDoS outages are causing companies to completely rethink their cybersecurity strategies,” said Terrence Gareau, chief scientist for Nexusguard. “Hackers’ preferences for botnets over reflection attacks are typical of cyclical behavior, where attackers will switch to methods that have fallen out of popularity to test security teams with unexpected vectors.”

With 7034 attacks, Starlink was the top targeted network last quarter. In the third quarter, Starlink dropped off the Top 50 list of attack destinations, increasing suspicions that it was merely an outlier last quarter. In Q3, AS 4134 was the top target destination, and it was obviously not an outlier as it has consistently shown up in the Top 10. Echoing the overall decrease in attacks this quarter, it’s no surprise that top targeted network decreased by 40 percent — the same decrease observed in attacks-per-day.

In keeping with fewer attacks overall in the third quarter, DNS-based reflection attacks also saw a major dip in the quarter. Last quarter we observed that DNS was creeping up on NTP as the primary method of attack. But now, DNS has all but completely disappeared with a decrease of 97 percent. This number alone can account for the 40 percent drop in attacks.

While NTP attacks were down by 21 percent, the ratio was up to about 66 percent of the total, making NTP the reflection attack method of choice. Additionally, CHARGEN increased 109 percent, but those attacks were distributed, so an outlier was most assuredly behind the increase. The main target for the CHARGEN attacks was a residential customer on the Time Warner Cable Network.

Last quarter, Nexusguard ranked the Big Three as Russia, China, and the US. This quarter, other countries that consistently make the Top 10, but rarely get as much attention. In third position comes France, which was home to the largest recorded DDoS attack this quarter coming in at 1Gbps. The “winner” of such a large attack was the hosting service provider OVH, which unsurprisingly received the highest numbers of attacks in France and also had the top target.

The only reason that Nexusguard suspect that OVH didn’t reach the Tbps mark is that many of the DDoS attacks were actually internally sourced from OVH. At any rate, this is only speculation and there is no evidence to prove the accuracy of the numbers.

According to data released last quarter, France was ranked four, but has bumped to to the third position this quarter. The US is now on top with a 16 percent increase in attacks, while China has seen a drop of 33 percent. The big loser (really winner) was Russia dropping from first position in the second quarter down to the twelfth spot with only 2 percent of the attacks in the third quarter of this year.


IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.