10 Days of DDoS: an Actor’s “Working” Hours
Threat actors working on a schedule similar to that of legitimate businesses recently launched large distributed denial of service (DDoS) attacks for ten days in a row, CloudFlare researchers warn.
Starting on Nov. 23 and running through Dec. 2, the actor behind a DDoS-capable tool has been launching large-scale attacks for roughly eight hours each day, seemingly during specific working hours. CloudFlare, which observed and mitigated several of the attacks, says that the actor started work at around 18:00 UTC (13:00 EST) each day and ended shift eight hours later, at around 02:00 UTC (21:00 EST).
Day after day, with only slight variations of half an hour or so, the actor would employ this pattern when launching DDoS attacks, as if they “’worked’ a day and then went home,” CloudFlare says. On the last day, the attacks continued for 24 hours straight, either because the attacker no longer took the night off, or because multiple operators worked in shifts to keep the floods going.
The attacks, the security researchers say, were quite large: they peaked at 172Mpps (Million packets per second) and 400Gbps (Gigabits per second) on the first day, but went over 200Mpps and 480Gbps on the third day.
“And the attacker just kept this up day after day. Right through Thanksgiving, Black Friday, Cyber Monday and into this week. Night after night attacks were peaking at 400Gbps and hitting 320Gbps for hours on end,” CloudFlare’s John Graham-Cumming reveals.
One of the most interesting aspects of these attacks is that they are not launched by the famous Internet of Things (IoT) botnet Mirai, but by a different tool, CloudFlare reveals. The attacker is sending very large L3/L4 floods aimed at the TCP protocol, a technique different from what Mirai uses.
The security researchers also note that the attacks they witnessed were highly concentrated in a small number of locations mostly on the United States west coast. This doesn’t come too much as a surprise, considering that DDoS bots have been long abusing cloud services offered by Amazon and other companies.
What this incident also reveals is how trivial it has become for a DDoS actor to launch attacks peaking above the 400Gbps mark. In fact, as Akamai’s Q3 State of the Internet report reveals (PDF), the number of attacks over 100Gbps went up 138% in the third quarter of this year compared to the same period in 2015, while DDoS attacks registered an overall increase of 71% since Q3 2015.