DDoS-attacks in Q4: WordPress and 900 cameras

Securelist has just released its quarterly report on DDoS attacks, highlighting a number of trend characteristics for the end of the previous year as well as providing overall stats.

Securelist has just released its quarterly report on DDoS attacks, highlighting a number of trend characteristics for the end of the previous year as well as providing overall stats.

Summary

  • In Q4, resources in 69 countries were targeted by DDoS attacks.
  • 94.9% of the targeted resources were located in 10 countries, with China being the country where half of all attacked resources have been located. South Korea holds second place, USA third.
  • The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days).
  • SYN DDoS, TCP DDoS, and HTTP DDoS remain the most common DDoS attack scenarios.
  • The popularity of Linux-based bots continued to grow: the proportion of DDoS attacks from Linux-based botnets in the fourth quarter was 54.8%.

What is Linux botnets?

Linux-based botnets are a huge problem today, with the proportion of attacks by Linux bots compared to those of Windows growing from 45.6% in Q3 to 54.8%. Simply put, Linux botnets again surpassed Windows-based ones in Q4.

Linux bots are mainly malware pieces designed to infect Linux servers, which tend to be left unprotected (probably, due to the notion that malware for Linux is all but non-existent).

According to Securelist’s report last year, Linux-based botnets offer cybercriminals the opportunity to manipulate network protocols, while infected servers have high-speed Internet channels (so attacks launched from them are potentially more powerful than those from Windows botnets). However, to create and operate a Linux botnet, a cybercriminal needs to have good knowledge of Linux as well as find a suitable bot on the black market or in free access.

Still the longevity of such botnets tend to be a bit longer than those based on Windows PC. Again, due to the fact that Linux servers often remain unprotected.

Besides, many Internet of Things devices comprised of botnets also run on various flavors of Linux.

In October 2015, experts registered a huge number of HTTP requests (up to 20,000 requests per second) coming from CCTV cameras. The researchers identified about 900 cameras around the world that formed a botnet used for DDoS attacks. The experts warn that in the near future new botnets utilizing vulnerable IoT devices will appear. The mixed-type botnets have previously been observed.

New vectors

The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering.

Securelist also highlighted some non-conventional attacks employing the compromised web applications powered by CMS WordPress. Its somewhat notorious pingback function has been used several times for amplification of attacks, but in Q4 criminals carried out a mass compromise of resources running WordPress. This was probably caused by the emergence of 0day vulnerabilities either in the CMS or one of its popular plugins. Whatever the cause, several cases have been observed of JavaScript code being injected into the body of web resources. The code addressed the victim resource on behalf of the user’s browser. At the same time, the attackers used an encrypted HTTPS connection to impede traffic filtering.

The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering. Attackers didn’t take chances.

The most popular attack methods remained the same: SYN DDoS held 57% of attacks, TCP DDoS – 21.8%, HTTP DDOS – 15.2%. The latter’s popularity slightly decreased, while the former two added a few percentage points compared to Q3.

The maximum duration of attacks also grew. The longest DDoS attack in the previous quarter lasted for 320 hours (13.3 days); in Q4, this record was beaten by an attack that lasted 371 hours (15.5 days).

The primary reason behind DDoS-attacks is mostly monetary gain – just like with any other cybercrime. DDoS-attacks are used as an extortion tool, but it’s not unusual to find criminals are using DDoS-attacks to smoke-screen some more clandestine and damaging activities, such as planting malware into the targeted company’s infrastructure or exfiltrating data.

The full report by Securelist is available here.

Tips