Akamai, the content delivery company responsible for as much as 30 per cent of online traffic, has highlighted the dangers of evolving botnets in its latest State of the Internet report, as botnet owners compete with and learn from each other. Most of them are now trying to beat Mirai, which was released last year.
Like any 'product', hackers' distributed denial of service (DDoS) attack tools follow a 'hype cycle', according to Akamai, although generally faster than consumer technologies as the relatively small community working with botnets is very open to change.
Mirai is currently working its way through the cycle, although its popularity has hampered it somewhat: contention for IoT devices, compromised by multiple forms of malware, has reduced the size of attacks considerably.
The impact of these insecure, internet-connected devices is not to be underestimated, and it is a space that is drawing more attention from a wider audience. For example, last year malware ven targeted IoT toasters in order to mine bitcoins. Although the malware was ineffective, it provided a proof-of-concept.
Liviu Arsene, senior e-threat analyst at Bitdefender, told Teiss.co.uk: "Researchers have been testing the security of IoT devices for a long time and have often found them lacking even basic security practices.
"From enforcing strong password authentication to encryption and security updates, most IoT manufacturers treat security features trivially and oftentimes are not even included in the device's development roadmap."
Despite the Mirai botnet, DDoS attacks in general have fallen 30 per cent, year-on-year, and 17 per cent, quarter-on-quarter.
The median size of DDoS attacks has also fallen, from 4Gbps in 2015 to just over 500Mbps today. However, this is likely due to the increased number of smaller attacks, with half of all assaults now between 250Mbps and 1.25Gbps.
Even these smaller attacks can harm unprepared companies, though. Akamai wrote: "If we consider that many businesses lease uplinks to the Internet in the range of one-to-10Gbps, any attack exceeding 10Gbps could be ‘big enough' and more than capable of taking the average unprotected business offline."
It is expected that the size and frequency of DDoS attacks will increase in the near future. Small-scale attacks are especially expected to rise, but the mega attacks will continue to have an outsized impact on DDoS trends.
A new attack spotlighted by Akamai was Mirai's DNS Water Torture, first seen in mid-January and targeting customers in the financial services industry. It involves a flood of DNS queries, which can lead to a denial of service for legitimate users if the target server is unprepared.
However, it was 'reflection attacks' that continued to dominate DDoS activity.
There was a subtle shift in the area of web application attacks, with 57 per cent more coming from the USA in the first quarter of 2017 compared to the same quarter in 2016. These target the underlying fabric of websites, either tying up resources or taking information from the database powering the sites. The impact can be longer-lasting than outages from infrastructure-related DDoS attacks.
The USA, Netherlands, Brazil, China and Germany were the top sources of web application attacks in the first quarter. The Netherlands is an interesting standout, with a population of only 17 million but producing 12.7 per cent of web attacks. By comparison, the USA has a population almost 20 times higher, but produces ‘just' 34 per cent of attacks.
Web application attacks targeted the USA (221 million), Brazil (24.2 million), the UK (14.2 million), Japan (13.4 million) and Germany (10.8 million). Although the US was far in advance of any other country, the figure was actually down 9 per cent, while Brazil and the UK were up (46 per cent and 30 per cent, respectively).
Peering into the crystal ball…
The number of DDoS attacks has fallen since 2016, but the risks remain. In fact, the capabilities of high-end attackers are rising, threatening not only the initial target, but collateral businesses, as well.
Maximum attack size has been rising since Mirai was released: from 100Gbps in the first quarter of 2016 to 600Gbps in the third quarter of 2016, even if things have calmed down in 2017.
Several organisations, including Akamai, have seen attacks exceeding 1Tbps. The possibility of a ‘super-botnet', perhaps due to the emergence of a unified command-and-control structure, could result in attacks of 2Tbps-or-more in the near future, suggests Akamai.
Despite the moves of organisations such as Europol and ISPs to counter Mirai, it would be short-sighted to think of this botnet as the only threat. Its source code, now available to all, has already been incorporated into malware suites, like the BillGates family, which are evolving to take advantage of the changed DDoS landscape.
Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".
Attendance is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago