DDOS growth
Google recently published exponential growth in DDoS attack volumes discussing how they mitigated a 2.5 Tbps attack in 2017 but, strangely, had nothing larger to report in the years since. Have attackers given up or just changed tactics? The amount of packets involved in DDoS attacks increase constantly so is it fair to assume that the size of these packets have decreased?
Cloudflare publishes quarterly details about DDoS attacks. Check out this year’s reports - Network-Layer DDoS Attack Trends for Q1 2020 and Network-layer DDoS attack trends for Q2 2020 - and see for yourself. The statistics show smaller, shorter attacks in 2020 compared to the massive one Google documented in 2017. Cloudflare’s data indicates attacks usually last 30 to 60 minutes (over 80% are less than an hour) an over 50% of them are less than 1 gbps. In the second quarter the number of attacks doubled but attack style remained the same.
Larg*net
We average one DDoS a month during the summer. People are on vacation so there are fewer victims to prey on and fewer attackers to architect their demise. The number of attacks spikes after Labour Day coinciding with the start of a new school year. Schools aren’t the only target but they certainly are the biggest though, admittedly, our results may be skewed by the sheer number of students within member organizations.
All DDoS attacks against LARG*net members since Labour Day lasted less than 30 minutes and were less than 1 gbps. Apart from attack length, our data is remarkably similar to Cloudflare’s. Let’s investigate one of these attacks further:
Target: Student Housing
Bandwidth: 947.6 Mbps
Packets per second: 93.8 Kpps
Misuse types:
UDP - 100.00%
IP Fragmentation - 62.33%
DNS Amplification - 21.39%
CLDAP Amplification- 16.17%
Ports:
No Port - 63%
53/udp - 21%
389/udp - 16%
Attacking Countries:
United States - 21.51%
Russian Federation - 10.92%
Ukraine - 5.62%
Brazil - 5.36%
Germany - 4.89%
The gigabit attack saturates either the wireless access point or a gigabit link upstream of it. Regardless it takes the specific victim offline but not the whole organization.
DDoS for hire
Anyone can shutdown anyone else’s internet provided they have more bandwidth than their intended target. All it takes is one command:
hping3 -1 -d 1400 --flood 127.45.6.3Keep in mind that this basic attack is both illegal and transparent. There’s no hiding who issued the command so you could find yourself in the company of all the people who have spent time in prison for unleashing this attack on someone.
This simple attack sends 1400 byte sized packets in flood amounts to the victim IP address (127.45.6.3) and can singlehandedly take down most organizations. It’s simple math: if you have more bandwidth that your victim you can send enough traffic to take them down. What’s new is that there are many DDoS for hire services available at inexpensive prices. Wired recently covered this new service if you want to learn more about what you’re up against. Typically you pay via bitcoin and can even sign up for a monthly service that gives you the ability to shutdown 1 address for 5-6 minutes at a time for only $10/month. For $50/month you can attack for up to an hour. There’s also a free tier that allows you to attack someone 1 time and shut them down for 5-6 minutes. What vendor doesn’t give you a free trial these days?
This free DDoS tier is what we most often see at LARG*net. Gone are the days where hackers had to actually build their own botnets before they could initiate an attack. Now you can just hire a DDoS service to do it for you and the cost of entry is free.
Network Chuck is a youtuber who regularly makes educational videos about networking and cyber security. His recent video shows him purchasing a DDOS in order to DDOS himself. Similarly he breaks down how the DDOS works.