Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

DDoS reflection attacks are back -- and this time, it's personal

Maria Korolov | May 20, 2015
Attackers targeting personal computers on misconfigured home networks.

At the start of 2014, attackers' favorite distributed denial of service attack strategy was to send messages to misconfigured servers with a spoofed return address -- the servers would keep trying to reply to those messages, allowing the attackers to magnify the impact of their traffic. 

As those servers got patched, this strategy became less and less effective.But now it's back, according to a new report from Akamai. Except this time, instead of hitting data center servers or DNS servers, the attackers are going after personal computers on misconfigured home networks.

According to Eric Kobrin, Akamai's director of information security responsible for adversarial resilience, the attackers are taking advantage of plug-and-play protocols, commonly used by printers and other peripheral devices.

These attacks, known as Simple Service Discovery Protocol (SSDP) attacks, are now the single largest attack vector for DDoS attacks, accounting for 21 percent of all attacks, up from 15 percent last quarter, and less than 1 percent at this time last year.

"There are infectable SSDP services all over the Internet," he said. "As they are discovered, we help work with people to shut them down."

Although each particular device has just a fraction of the bandwidth available to data center-based servers, there are more of them.

"There's a fertile ground of home systems," he said. "A property configured home firewall can block this, but there are many improperly configured home systems connected to the Internet -- and there are also industrial systems that can be used to reflect attacks as well."

This attack source is also harder to shut down, he said.

"It's easier to go into the data center and have the service providers do the clean-up," he said.

Last quarter, SYN flood attacks -- where "synchronize" messages are sent to servers -- was the leading attack vector, accounting for 17 percent of all attacks, down slightly from 18 percent of all attacks at the start of 2014.

There has also been a change in the size of the median attack, and the typical size range of attacks, Kobrin said, as defensive measures have improved.

"The smallest effective attack size has increased, year over year," he said. "It's because the smallest attacks are no longer effective."

Another type of DoS attack has gained a foothold for the first time this year. SQL injections, normally used to gain access to systems for the purpose of stealing data, are now being used to shut down Web sites as well.

Akamai saw more than 52 million SQL injection attacks during the first quarter of 2015, which accounted for 29 percent of all Web application attacks.

The most common targets for SQL injection attacks were retail, travel and media websites.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.