DDoS-for-Hire Crackdown Leads to 85% Drop in Attack Sizes

DDoS-for-Hire Crackdown Leads to 85% Drop in Attack Sizes

The average size of distributed denial-of-service (DDoS) attacks decreased by 85% on a YoY basis during Q4 2018 after the FBI seized the domains of 15 of the world’s biggest “booters” (DDoS-for-hire websites).

As described in Nexusguard’s DDoS “Threat Report 2018 Q4,” the number of DDoS attacks fell by 10.99% when compared to Q4 2017 as a direct result of FBI taking down the booters which were allegedly responsible for “more than 200,000 DDoS attacks since 2014.”

The drop in overall activity was not the only outcome seeing that the average and maximum DDoS attack sizes also drastically decreased by 85.36% and 23.91% according to cloud-based DDoS security provider Nexusguard’s analysis.

While common attacks like UDP, TCP SYN, and ICMP also saw significant drops on a YoY basis, SSDP (Simple Service Discovery Protocol) amplification attacks — the most attractive “Bit-and-Piece” DDoS attack vector for malicious actors — saw an astonishing boost of 3,122.22% YoY and 91.21% QoQ.

Q4 2018 DDoS attack stats

SSDP attacks are launched by threat actors over UDP with the help of Universal Plug and Play devices such as routers, servers, printers, and IP cameras, by sending UDP packets from the spoofed IP address of the target to exploitable devices which send back a response amplified by an amplification factor as high as 30x according to US-CERT.

“DDoS attacks in Q4 2018 saw a drop in both maximum and average size YoY (down 85.36% and 23.91%, respectively), while both rose QoQ (up 3.75% and 49.15%, respectively),” says Nexusguard.

In addition, DDoS attack durations saw an increase of 175.61% YoY, reaching up 450 minutes on average, with the longest attack lasting no less than 18 days, 21 hours, and 59 minutes.

As a rule of thumb for DDoS attacks during Q4 2018, they were commonly designed to hit their targets during business hours to do the most possible damage, with one victim experiencing “as many as 13 attacks in a day, each spanned from 28.95 minutes to as persistent as 1493.93 minutes in duration.”

Distribution of DDoS Attack Vectors

Although FBI’s crackdown on “booters” put a sensible dent in DDoS attack sizes during Q4 2018, Nexusguard’s CTO Juniman Kasman believes that “the FBI’s December crackdown only scratched the surface of a global problem.”

Also, “While booters are visible targets, businesses must also manage the vulnerabilities that stem from unpatched hardware and software, human error and new attack methods, especially as the footprint of IoT expands.”

In related news, Europol and its worldwide law enforcement partners are engaging in a crackdown on several hundred customers of DDoS-for-hire services as part of Operation Power Off which led to the shut down of the WebStresser booter/stresser website in April 2018, the world’s largest booter at the time with a whopping 151,000 registered users.

As proof of booter shut down efficiency, DDoS attacks fell 60% across Europe following the WebStresser takedown according to a report by DDoS mitigation firm Link11’s Security Operation Center (LSOC) from May 2018.