Under Attack?
Search
Menu

2016 Attack Trends

By Daniel SmithDecember 6, 2016

2016 has been an eventful year when it comes to denial of service attacks. This year the industry as a whole has seen the largest attacks ever, and new attack vectors designed to test and challenge modern day defenses. Every year Radware’s ERT sees millions of attacks and our ERT Researchers throughout the year are constantly reviewing and analyzing these attacks to gain further insight into trends and changes in the attack vector landscape.

This year, two of the most common trends among attackers were burst attacks, aka “hit and run”, and advanced persistent denial of service (ApDoS) campaigns. Throughout the year we have observed a number of attackers using short bursts of high volume attacks in random intervals, and attacks that have lasted weeks, involving multiple vectors aimed at all network layers simultaneously. These types of attacks have a tendency to cause frequent disruptions in a network server’s SLA and can prevent legitimate users from accessing your services.

Hackers are also searching for new vectors and methods to carry out their network-crippling attacks. This year we saw an explosion in the use of Internet of Things (IoT) devices to create powerful botnets, along with a number of new attack vectors such as BlackNurse, an ICMP attack. Most notable was the release of the Mirai botnet source code by a user on HackForum. This botnet utilized 60+ factory default credentials found on BusyBox-based IoT devices and created the most powerful botnet seen to date. One of the more interesting factors behind Mirai was the Generic Routing Encapsulation (GRE) attack vector. This relatively new method encapsulates packets with a large amount of data in an attempt to exhaust resources as the receiving network de-encapsulates the payload.

Digital security concept

Top 5 DDoS vectors from the ERT

HTTP/s

This year Radware’s ERT has seen over 385,000 HTTP floods launched against our clients. An HTTP flood is an attack method used by hackers to attack web servers and applications. It consists of a seemingly legitimate session-based set of HTTP GET or POST requests sent to a target. Such requests are often sent en masse by means of a botnet to increase its overall attack power, but attacks have also been observed using variants of the DoS tool HULK and SlowLoris. HULK is a simple flood tool used to generate unique HTTP requests for every request sent. By doing so it allows the attack to avoid and bypass caching, hitting the server directly. During OpIcarus this year attackers were seen using a number of Layer 7 DoS tools like HULK, SlowLoris, TorsHammer and Slowhttp.

DNS

A DNS flood is an application-specific variant of a UDP flood. Since DNS servers use UDP traffic for name resolution, sending a massive number of DNS requests to a DNS server can consume its resources, resulting in service degradation and slower response time for legitimate requests. DNS amplification attacks are sophisticated denial of service attacks that take advantage of DNS server behavior in order to amplify the attack traffic. Attackers send a high rate of short DNS queries to multiple DNS servers that send the entire list of DNS records to the victim. The attacker achieves amplification because for each short DNS query it sends, the DNS server replays with a larger response directed at the victim. So far this year our ERT team has seen over 130,000 DNS floods targeting AAAA records including 48 attacks originating from the botnet Mirai.

[You might also like: Are You Ready for the New Age of Attacks?]

TCP

TCP floods are one of the oldest yet still popular denial of service attacks. The most common form of a TCP flood involves sending numerous SYN packets to the victim’s server. The intention of this attack is to overwhelm the session table of the targeted server by abusing the 3-way handshake used for establishing connections. Servers need to open a state for each packet that arrives, and attackers attempt to fill these tables with attack traffic so the server cannot handle legitimate traffic. This year Radware’s ERT has seen a number of TCP attacks such as TCP-SYN, 25,081, FIN-ACK, 17,264 and SYN-ACK, 14,758. We have also seen a method known as TCP STOMP originating from Mirai. This is a classic ACK flood where Mirai starts with the ACK flood only after gaining a legitimate sequence number thus increasing its odds of bypassing security solutions. During OpOlympicHacking, Anonymous published a GUI tool that allowed members of the operation to launch TCP PSH+ACK flood through Tor to pre-defined targets associated with the games.

UDP

A UDP flood is a network flood and still one of the most common floods today. Attackers send UDP packets to a single destination or random ports. In most cases, the attacker spoofs the source IP since the UDP protocol is connectionless and does not have any type of handshake mechanism or session. The intention of a UDP flood is to saturate the internet pipe with high volume attacks. Simply, UDP floods abuse normal behavior at a high enough level to cause congestion and service degradation for targeted networks. This year Radware’s ERT has seen over a half million IPv4 floods, 93,538 UDP fragmented attacks and 816 IPv6 attacks. During OpIsrael we saw the release of a prepackaged toolkit from Anonymous that included a number of GUI, graphical user interface, tools capable of launching UDP flood such as BlackOut, Anonymous External Attack, DoSeR 2.0 and LOIC. In addition to this we have also seen 2,395 UDP flood coming from the Mirai botnet since its release two months ago.

GRE

This year we saw the raise of a new and powerful botnet that incorporated an attack vector utilizing Generic Routing Encapsulation (GRE). In a GRE flood, the attacker encapsulates packets with large amounts of data and routes them through to a destination network that de-encapsulates the packet’s payload. By sending GRE packets with large amounts of encapsulated data, the attacker is able to consume and exhausts the network resources working to de-encapsulate the payload. After the release of Mirai, one of our customers reported a GRE flood that fluctuated between 70-180Gbps. Radware’s DDoS protection was able to successfully mitigate this attack based on the attack pattern of encapsulated UDP packets which contained 512 bytes of random data.

Moving into 2017, Radware’s ERT expects to see the denial of service landscape continue to evolve at a rapid rate as 1tbps attacks become the new standard. As IoT devices become more accepted and widely deployed over the next year, we expect attackers to find more vulnerable devices due to their poor security and use them in combination with other botnets like Bashlite to achieve record breaking sizes.

DDoS_Handbook_glow

Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.

Download Now

Posted in: Attack Types & Vectors SecurityTags:

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?