If someone wants to disrupt a website or online service—or take it down altogether—a popular method is to wallop it with a massive flood of junk traffic or bogus requests. These so-called distributed denial of service attacks have for years been a fact of life on the internet. But a recent spate of major campaigns has raised the specter of DDoS mercenaries increasingly targeting attacks at the behest of the highest bidder.
On Wednesday, the cybersecurity firm Trend Micro is releasing findings about escalating global turf wars between attacker groups vying to seize control of vulnerable routers and other devices. Their aim: to power botnets that can direct a firehose of malign traffic or requests for DDoS attacks. Such territory disputes are a hallmark of botnets, but attackers seem increasingly motivated grow their zombie armies not for their own purposes, but in service of more professionalized—and profitable—”DDoS for hire” schemes.
“Four or five years ago attackers were just compromising as many routers as they could,” says Robert McArdle, director of forward-looking threat research at Trend Micro. “If they could get 1,000 they were happy, if they could get 10,000 they were happier. Now when you start thinking of it as a business those are growth numbers. They’re thinking more corporate. It’s a key change.”
One challenge of DDoS research is getting insight into specific numbers of IoT devices infected with botnet malware. Unlike, says, Windows computers, most consumer-grade IoT devices like routers don’t run any type of monitoring software that provide visibility. Even more kitted out enterprise networks don’t always extend their protections to every IoT device, leaving some exposed to attack.
In general, though, DDoS activity appears to have been steady the first months of 2020. From November 11, 2019 to March 11 of this year, network performance company Netscout observed an average of about 735,000 DDoS attacks per month. But from March 11 to April 11th of 2020, the group observed more than 864,000 attacks, the largest number Netscout has ever seen in a 31-day period by 17 percent.
Those attacks are noteworthy not only for their frequency but their size, measured in terabits-per-second or packets-per-second. Amazon Web Services said in a recent report that it successfully thwarted an impressive three-day attack in mid-February against one of its customers that peaked at 2.3 terabits-per-second—44 percent larger than any similar DDoS attack previously detected on AWS’s infrastructure. The internet infrastructure firms Akamai and Cloudflare both fended off attacks between June 18 and June 21 that peaked at 754 million packets-per-second for Cloudflare and a record 809 million packets-per-second for Akamai.
Though the motivation for these two attacks is unknown, both firms say that they didn’t see evidence that the assaults were extortion attempts—a monetization strategy DDoSers sometimes tried during the 2010s. This could mean that the attacks were ideologically motivated, and even that they came from DDoS-for-hire services. Regardless of their origin, the TrendMicro researchers say that DDoS-for-hire more broadly is escalating, and that attackers are going to greater and greater lengths to break into consumer routers for more DDoS firepower.
“It’s not so much that attackers have upgraded the botnet source code that’s out there, it’s that now they’ve figured out the way to monetize these attacks,” says David Sancho, a senior threat researcher at Trend Micro. “And the price of entry is so, so low that it’s driving more and more attacks.”
In addition to happening within days of each other, both the Akamai and Cloudflare attack focused on overwhelming applications and networking hardware with a deluge of network communication data packets. This type of DDoS attack doesn’t involve sending a huge amount of junk data; Cloudflare said the attack it dealt with hit 250 gigabits-per-second, far from a noteworthy attack in that respect. But the unusually high packet rate common across both attacks can be just as devastating—what Cloudflare calls “a swarm of millions of mosquitoes that you need to zap one by one.”