DDoS Attack Analysis For 2015

2015 was the year where we saw new methods being utilized when it comes to DDoS attacks.  According to the report by Kasperky, 2015 gave rise to reflection attacks, usage of botnets and application level attacks.

Usage of WordPress as a DDoS tool allowed attackers to control thousands of websites to initiate the attack.  By utilizing the pingback function and performing it over thousand times at once, the attacker is overwhelming the victim’s resources.  Furthermore, attacks utilized zero day exploits to take control of WordPress installations where they will inject javascript code and avoid DDoS mitigation by relying on https protocol.  This allowed the attacks to bypass any form of filtering .  According to the report, “The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering”.

Hackers have also utilized IoT devices where hackers targeted CCTV cameras to launch a DDoS attack.  CCTV cameras are being used to form a botnet and bring down large websites.  Most of the blame lies on the management where the default passwords are not modified.  The hackers would install malware programs like Bashlite, Lightaidra or GayFgt.  Based on the latest reports, researchers found 900 CCTV cameras forming a botnet to attack a website.

2015 also saw rise in reflection DDoS attacks that utilized NetBIOS name servers , RPC portmaps and Sentinel licensing servers.  By using corrupted packets, an attacker is able to take victim’s IP offline by using amplification that might happen by accident at at the protocol level.  Instead of sending one corrupted packet, the flaw ends up amplifying the packet by the factor of 10.

DDoS attacks will continue to evolve and hackers will look for ways to always stay a step ahead.  Most of the attacks are using exploits in scripts, protocols and devices and they can be avoided if proper steps are taken by the system admins.