This article is more than 1 year old

Silence of the WANs: FBI DDoS-for-hire greaseball takedowns slash web flood attacks 'by 11%'

Fed bust of massive attack network caused traffic loads to plummet in Q4

The FBI's takedown of a group of prolific DDoS-for-hire websites has single-handedly helped to drop attack levels globally.

This is according to a report (registration required) from distributed-denial-of-service (DDoS) mitigation provider NexusGuard, who say that both the overall number of attacks and the volume of duff data fired at targets to overwhelm them are down, thanks to the December 2018 push that saw the feds wipe out 15 DDoS mercenary sites.

Those outfits, run in part in America, allowed people to purchase temporary use of massive botnets of compromised devices that were, in turn, commanded to generate massive loads of network traffic at targeted websites and services, overloading and knocking them offline.

It seemed those 15 DDoS services were so prolific (at the time of the takedown the FBI estimated that the group had carried out more than 300,000 attacks over the last five years) that simply taking them offline has caused a noticeable drop in global activity for the entire fourth quarter.

Compared to the same quarter last year, NexusGuard says that the number of attacks fell by 11 per cent. What's more, the size of each attack (the traffic load directed at the target) took a nosedive, with the average rate dropping 85 per cent and the maximum size down 24 per cent from Q4 2017.

These numbers are particularly noteworthy given the takedown happened with just ten days left in the quarter- though it should be noted that the days around Christmas and New Year's are by far the busiest for DDoS attacks, and attacks typically surge in the back half of December.

Put down the champagne

The huge dip in attacks may not last, however. NexusGuard says it expects new DDoS-for-hire services to soon step in and fill the void left by those taken down by the FBI, and at that point attack levels will likely rise.

Not surprisingly, IoT botnet attacks were all the rage last quarter, according to the report. Simple Service Discovery Protocol (SSDP) amplification attacks from UPnP devices – such as IP-enabled cameras, printers, and routers – were up a staggering 3,122 percent from last year, it is claimed, and accounted for nearly half (48 percent) of all attacks seen on the quarter.

Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address. The devices all respond to the victim, flooding it with data. The amount of information sent from the gadgets to the victim is huge compared to the initial request wave, hence an amplification attack.

Dude in jail

Brit hacker hired by Liberian telco to nobble rival now behind bars


"Perpetrators first discover and scan all exploitable devices and then use botnets to send UDP packets with a target’s spoofed IP address to UDP port 1900 of all exploitable devices," NexusGuard said in explaining the technique. "In turn, the devices respond massively, causing the target to become inundated with a large volume of replies."

The growth in SSDP attacks meant more conventional techniques all went down compared to the year-ago quarter.

Less surprising was the distribution of where those attacks were coming from (as in where the bots launching it were based.) China was the most common, accounting for 23 per cent, followed by the US, with 18 per cent. This is to be expected, notes NexusGuard, as the US and China also account for around a third of the total online population.

France (7 per cent), Russia (4 per cent), and Brazil (2.5 per cent) rounded out the top five. ®

More about


Send us news

Other stories you might like