During the last quarter of 2017, several major botnets were discovered and destroyed. The beginning of December saw the FBI, Microsoft, and Europol team up to knock out the Andromeda botnet, which had been in operation since 2011.
In addition, towards the end of October, the Indian Computer Emergency Response Team (CERT) issued a warning about a massive botnet being assembled by a hacker group using the Reaper and IoTroop malware, and earlier that same month, the spread of Sockbot through infected Google Play apps was detected and terminated.
These were some of the findings revealed by Kaspersky Lab's fourth quarter report for 2017 based on data from Kaspersky DDOS Intelligence, that analyses trends such as accidental DDOS attacks by spammers, political sabotage and the owners of DDOS botnets attempting to make money from Bitcoin.
Targets
During the last quarter of 2017, DDOS attacks were registered against targets in 84 countries, compared to 98 in Q3.
However, what didn't change, was that the overwhelming majority of attacks occurred in the top ten countries in the list, with over half of all attacks in Q4 (51.84%) targeted at entities in China. The other countries in the top ten are the US, South Korea, UK, France, Canada, the Netherlands, Russia, Vietnam and Germany.
As far as the number of botnet command and control servers hosted in a particular country were concerned, Russia had the same number as China.
Business is business
Online commerce and cyber criminals also featured in Q4. In the run-up to Black Friday and Cyber Monday, Kaspersky Lab honeypots noted a sudden surge in the number of infection attempts on specially created bait by Linux-based DDOS bots. "This may reflect the desire of cyber criminals to increase the size of their botnets prior to a period of major sales and make money out of it," says Kaspersky Lab.
Bitcoin was also a major focus, with its value reaching all-time highs. Immediately following Bitcoin's release of a new kind of crypto-currency in the shape of Bitcoin Gold (BTG), BTG sites came under DDOS fire. Moreover, after the price of the crypto-currency soared in November, DDOS attacks heavily targeted the Bitfinex exchange with the apparent aim of profiting from Bitcoin price fluctuations caused by these attacks.
Duration of attacks
When it came to the duration of DDOS attacks via botnets, the longest attack in the last quarter of 2017 lasted only 146 hours. The victim was a site belonging to a Chinese company that teaches how to cook traditional Asian food.
The most infamous attacks during this reporting period had political motivations behind them - such as the DDOS attacks targeted the Czech statistical office and the site of the Spanish Constitutional Court.
In the context of the report, an incident is considered a separate DDOS attack if the interval between botnet activity periods does not exceed 24 hours. Should the same Web resource be attacked by the same botnet with an interval of 24 hours or more, the incident would be considered two attacks. In addition, bot requests originating from different botnets, but directed at one resource count as separate attacks.
Accidental DDOS
It Q4, it was also noted that sometimes DDOS attacks aren't about earning money or affecting services, they merely fall under the category of persistent online "crosstalk". Junk traffic has become so widespread that server failure from too many requests might not be due to an attack, but as a result of spam.
"You don't have to be a direct target to become a victim of a DDOS attack. Today, DDOS is an instrument for applying pressure or making money illegally, and attacks can harm not just large, well-known organisations but also very small companies," added Kirill Ilganaev, head of Kaspersky DDOS Protection at Kaspersky Lab.
Share