The “cream” of the cybercriminal community has gone back to the good old methods of attacks at the application level in the first quarter of 2016, according to Kaspersky’s analysis of DDoS attacks for this time period.
Kaspersky’s DDoS Intelligence Report for Q1 2016 looks at the main trends in the field of DDoS attacks and the tools used to perform them.
They revealed their findings, which include some of the selected below.
DNSSEC Protocol Popular
Criminals are increasingly using the DNSSEC protocol to carry out DDoS attacks. The protocol is intended to minimize DNS spoofing attacks, but besides the domain data a standard DNSSEC reply also contains additional authentication information. Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes. Attackers exploit this feature to perform amplification DDoS attacks. They usually use domains in the government zone .gov, because in the US such domains are required by law to maintain DNSSEC.
Information Security Companies – A Major Target
Cybercriminals also target companies working in information security, with most of the major players – especially those offering anti-DDoS services – having to regularly combat DDoS attacks on their resources. These attacks can’t cause much damage because all these resources are well-protected, but that doesn’t stop the cybercriminals.
Summary
- In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015).
- 6% of the targeted resources were located in 10 countries.
- China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. France and Germany were newcomers to the Top 10.
- The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
- SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter.
- Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably.