Silence of the WANs: FBI DDoS-for-hire greaseball takedowns slash web flood attacks 'by 11%'

Fed bust of massive attack network caused traffic loads to plummet in Q4

The FBI's takedown of a group of prolific DDoS-for-hire websites has single-handedly helped to drop attack levels globally.

This is according to a report (registration required) from distributed-denial-of-service (DDoS) mitigation provider NexusGuard, who say that both the overall number of attacks and the volume of duff data fired at targets to overwhelm them are down, thanks to the December 2018 push that saw the feds wipe out 15 DDoS mercenary sites.

Those outfits, run in part in America, allowed people to purchase temporary use of massive botnets of compromised devices that were, in turn, commanded to generate massive loads of network traffic at targeted websites and services, overloading and knocking them offline.

It seemed those 15 DDoS services were so prolific (at the time of the takedown the FBI estimated that the group had carried out more than 300,000 attacks over the last five years) that simply taking them offline has caused a noticeable drop in global activity for the entire fourth quarter.

Compared to the same quarter last year, NexusGuard says that the number of attacks fell by 11 per cent. What's more, the size of each attack (the traffic load directed at the target) took a nosedive, with the average rate dropping 85 per cent and the maximum size down 24 per cent from Q4 2017.

These numbers are particularly noteworthy given the takedown happened with just ten days left in the quarter- though it should be noted that the days around Christmas and New Year's are by far the busiest for DDoS attacks, and attacks typically surge in the back half of December.

Put down the champagne

The huge dip in attacks may not last, however. NexusGuard says it expects new DDoS-for-hire services to soon step in and fill the void left by those taken down by the FBI, and at that point attack levels will likely rise.

Not surprisingly, IoT botnet attacks were all the rage last quarter, according to the report. Simple Service Discovery Protocol (SSDP) amplification attacks from UPnP devices – such as IP-enabled cameras, printers, and routers – were up a staggering 3,122 percent from last year, it is claimed, and accounted for nearly half (48 percent) of all attacks seen on the quarter.

Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address. The devices all respond to the victim, flooding it with data. The amount of information sent from the gadgets to the victim is huge compared to the initial request wave, hence an amplification attack.

Dude in jail

Brit hacker hired by Liberian telco to nobble rival now behind bars


"Perpetrators first discover and scan all exploitable devices and then use botnets to send UDP packets with a target’s spoofed IP address to UDP port 1900 of all exploitable devices," NexusGuard said in explaining the technique. "In turn, the devices respond massively, causing the target to become inundated with a large volume of replies."

The growth in SSDP attacks meant more conventional techniques all went down compared to the year-ago quarter.

Less surprising was the distribution of where those attacks were coming from (as in where the bots launching it were based.) China was the most common, accounting for 23 per cent, followed by the US, with 18 per cent. This is to be expected, notes NexusGuard, as the US and China also account for around a third of the total online population.

France (7 per cent), Russia (4 per cent), and Brazil (2.5 per cent) rounded out the top five. ®

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022