The annual holiday uptick in denial of service attacks will likely continue this year only this time with a new devastating weapon: Internet of Things (IoT) devices, according to Akamai.
In its quarterly State of the Internet/Security Report, the company says certain types of DDoS attacks are on the rise compared to the third quarter last year, both in size and number. That doesn’t bode well for users of the internet starting next week.
“Thanksgiving, Christmas, and the holiday season in general have long been characterized by a rise in the threat of DDoS attacks,” the report says. “Malicious actors have new tools — IoT botnets — that will almost certainly be used in the coming quarter.”
That includes the infamous Mirai botnet whose code has been made public and that is responsible for some of the largest DDoS attacks ever – perhaps more than 1Tbps - including two that were mitigated by Akamai.
In past years these attacks have been used to take down gamer sites at Christmas, just in time to frustrate people who have just received new gaming platforms. Famously, both Xbox Live and Sony Playstation were disrupted by DDoS attacks in 2014.
Mirai has kept a low profile since it knocked DNS service provider Dyn for a loop last month, but that doesn’t mean it won’t be back, Akamai says.
The type of person who likely launched that attack is the type likely to use MIrai for a follow-up to the 2014 attacks. The Dyn IoT DDoS flood was pinned on gamers who wanted to take down a gaming site, likely Playstation Network.
According to Lance James, the chief scientist at Flashpoint, the attack was, “teenagers losing their emotions over videogames,” who “took down more than even the attackers hoped to take down.”
DDoS attacks in general have been on the rise, the Akamai report says, up 71% over Q3 last year.
The good news is that some forms of DDoS seem to be on the wane, network time protocol (NTP) attacks in particular.
That’s because the open NTP servers used to reflect and amplify attack traffic are getting cleaned up, so there are few of them off of which to bounce traffic. The number of attacks has grown over time but the amount of traffic generated by each has gotten less. The average size of an NTP attack in June 2014 was greater than 40Gbps. This June it was 700Mbps.
When these attacks were on the rise, the vulnerable servers being used to carry them out became apparent, leading their owners or third party observers to take note and secure them. “It appears that June was the critical inflection point, when not only did available NTP reflection bandwidth shrink, but botnet owners pivoted to other protocols for their traffic,” Akamai says.
Meanwhile, UDP fragmentation attacks accounted for nearly a quarter (24.56%) of all DDoS attacks observed by Akamai in the third quarter. These attacks send fraudulent fragmented packets to the target server, but they are designed so they cannot be reassembled. That chews up processor time on the server, eventually leading to it becoming overwhelmed.
But Akamai says the recent success of IoT botnets means they will be used more until defenders find a way to defeat them. “It is very likely that malicious actors are now working diligently to understand how they can capture their own huge botnet of IoT devices to create the next largest DDoS ever,” Akamai says.