Online shopping is top DDoS attack target, application-layer techniques dominate, Kaspersky reports

By | March 30, 2012

Posted in: Banking DDoS Protection

Online shopping sites are the leading target of distributed denial of service (DDoS) attacks, according to Kaspersky Labs. An analysis posted on Securelist reports that a quarter of the attacks detected in the second half of 2011 were aimed at online shops, auctions, etc., followed by online trading (20%), online gaming (15%) and banks (15%).

The report does not go into the motivations behind the attacks, but competitors seeking unfair business advantage frequently use DDoS as a weapon, hiring a botnet or renting the services of DDoS hit teams for modest investments. The idea is to deny business to the competition and frustrate customers in the hope of driving them to their own site. (In a  recent survey by Corero Network Security, more than half the U.S. companies that were victims of DDoS attacks cited unscrupulous competitors.) In addition the hacktivist attacks that have drawn so much attention, criminal extortion under theat of DDoS attack — digital version of the protection racket — is a common motive.

Regarding the trading sites, Kaspersky notes that attackers showed considerable interest in sites through which government-owned and municipal institutions place their orders.

Online gaming (predominantly  gambling, but including online video gaming) attacks were aimed primarily at game server hosting services, followed by servers, generally owned by software pirates offering online games.

Attacks on media and government websites accounted for 2% each. The latter were generally considered some form of protest. Kaspersky notes that the media attacks included sites of television channels and magazine and newspaper publishers in former Soviet republics.

The types of techniques used to launched DDoS attacks have shifted in recent years from network-based floods to application-layer DDoS attacks. Kaspersky reports that 80% of the DDoS incidents it detected were some form of HTTP attack.

These are becoming the attacks of choice because they are hard to detect and mitigate, and require fewer resources.

“Http floods can mask the bots by imitating the behavior of real users on the web server,” says Yury Namestnikov, senior malware analyst at Kaspersky, “and that makes very hard to filter such bots.”

UDP, SYN and ICMP floods, in descending order, accounted for the balance.

The report also summarizes some of the interesting new possible attack methods released by researchers, including one which showed how Google servers could be used to attack any site. Another demonstrated how to exploit SSL to create a denial of service. The latter technique is an example of how DoS attacks might be executed without requiring large botnets. (Some attacks demonstrated by researchers require only a single computer to bring down a target).

The analysis also shows some shifting in the countries that are sources of attack computers (hijacked into botnets). In the first half of 2011, the leading source countries were the U.S., Indonesia and Poland. In the second half of the year, Russia (16%) and the Ukraine (12%) were the leaders. The U.S. only accounted for 3% of the attack computers (down from 11%). In all, 201 countries were sources of bots used in DDoS attacks.

You May Also Be Interested In: