Akamai Diversity

The Akamai Blog

Four News Reports On Recent DDoS Activity

Since one of Akamai InfoSec's biggest tasks is to blunt the impact of DDoS attacks against customers, I'm always scanning the various tech news outlets to see what's new and who among us is being quoted. Here are four that have caught my attention in recent days -- two of which include insight from Akamai CSIRT Director Michael Smith.

DDoS Attackers Change Their Game Plans
Smith is quoted in this article about how the firepower needed to launch an effective DDoS attack is steadily increasing. As a result, Tech News World's John P. Mello Jr. writes, attackers are tweaking their tactics to get "more bang for their bytes." From the article:

Logging pages at banking sites have been popular targets of application DDoS attacks. When you try to log into your bank, a whole set of backend functions are set in motion that consume CPU cycles at the site: Fraud prevention is activated; databases are accessed; authentication routines are run; and geolocations are reviewed. All those processes are performed whether a legitimate user or a fake persona is trying to log into the site. As an attacker, I would hit "that login page with a bunch of bogus usernames and passwords, knowing each request uses up a lot of resources of the target so I don't have to send as much volume of attack traffic as I would if I were trying to flood the network," Michael Smith, CSIRT director for Akamai Technologies, told TechNewsWorld. "The big trend over time will be smaller attacks with the impact of larger attacks -- smarter, more nimble, more agile attacks," he said.

DDoS: Phase 4 of Attacks Launched
Here, BankInfoSecurity reporter Tracy Kitten writes about how Izz ad-Din al-Qassam Cyber Fighters' fourth phase of DDoS attacks against U.S. banks kicked off July 31. Smith and other experts told Kitten that the attacks failed to take down the sites. From the article:

Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam, says DDoS defenses fared well throughout the morning of July 31, when the attacks began. And while the attack methods used were nothing new, some of the attack characteristics were, he says. "They keep pounding against one target," Smith said. "They've been hitting this one bank for about an hour and 15 minutes, now," which is unusual. But within a few hours, three more targets were hit, Smith says. Until now, al-Qassam typically hit a particular site for between 10 and 20 minutes at a time, Smith says. If the attacks are unsuccessful at taking a site down, the group moves on to another target, he adds.

How Do Booters Work? Inside a DDoS for Hire Attack
In this article, eWeek's Sean Michael Kerner explores the details of a talk Vigilant Chief Scientist Lance James gave at Black Hat last week. James talks about "Booter services" that offer paying customers DDoS attack capabilities on demand. From the article:

(James) got pulled into an investigation into the world of Booter services by his friend, security blogger Brian Krebs. Krebs had been the victim of a Booter service attack and was looking for some answers. "Basically a Booter is a Web-based service that does DDoS for hire at very low prices and is very hard to take down," James said. "They are marketed toward script kiddies, and many DDoS attacks that have been in the news have been done via these services." James was able to identify the suspected Booter site via Website log files and began to trace the activity of the individual who specifically attacked Krebs. Further investigation revealed that the same individual was also attacking other sites, including whitehouse.gov and the Ars Technica Website. After James was able to identify the Booter service and directly connect it to the attacks against Krebs, the two were able to help shut down the Booter service itself.

Shorter, higher-speed DDoS attacks on the rise, Arbor Networks says
Here, Network World reporter Ellen Messmer writes about how almost half of the DDoS attacks monitored in a threat system set up by Arbor Networks now reach speeds of over 1Gbps -- 13.5 percent from last year, while the portion of DDoS attacks over 10Gbps increased about 41 percent in the same period. From the article:

Arbor Networks monitoring system, which is based on anonymous traffic data from more than 270 service providers, saw in the second quarter of this year the more than doubling of the total number of attacks over 20Gbps that occurred in all of 2012. The only number that went down was the duration of all of these DDoS attacks, which now trend shorter, with 86% lasting less than one hour, according to the Arbor Networks trends report for the second quarter of 2013.