Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

10 Days of DDoS: an Actor’s “Working” Hours

Threat actors working on a schedule similar to that of legitimate businesses recently launched large distributed denial of service (DDoS) attacks for ten days in a row, CloudFlare researchers warn.

Threat actors working on a schedule similar to that of legitimate businesses recently launched large distributed denial of service (DDoS) attacks for ten days in a row, CloudFlare researchers warn.

Starting on Nov. 23 and running through Dec. 2, the actor behind a DDoS-capable tool has been launching large-scale attacks for roughly eight hours each day, seemingly during specific working hours. CloudFlare, which observed and mitigated several of the attacks, says that the actor started work at around 18:00 UTC (13:00 EST) each day and ended shift eight hours later, at around 02:00 UTC (21:00 EST).

Day after day, with only slight variations of half an hour or so, the actor would employ this pattern when launching DDoS attacks, as if they “’worked’ a day and then went home,” CloudFlare says. On the last day, the attacks continued for 24 hours straight, either because the attacker no longer took the night off, or because multiple operators worked in shifts to keep the floods going.

The attacks, the security researchers say, were quite large: they peaked at 172Mpps (Million packets per second) and 400Gbps (Gigabits per second) on the first day, but went over 200Mpps and 480Gbps on the third day.

“And the attacker just kept this up day after day. Right through Thanksgiving, Black Friday, Cyber Monday and into this week. Night after night attacks were peaking at 400Gbps and hitting 320Gbps for hours on end,” CloudFlare’s John Graham-Cumming reveals.

One of the most interesting aspects of these attacks is that they are not launched by the famous Internet of Things (IoT) botnet Mirai, but by a different tool, CloudFlare reveals. The attacker is sending very large L3/L4 floods aimed at the TCP protocol, a technique different from what Mirai uses.

The security researchers also note that the attacks they witnessed were highly concentrated in a small number of locations mostly on the United States west coast. This doesn’t come too much as a surprise, considering that DDoS bots have been long abusing cloud services offered by Amazon and other companies.

What this incident also reveals is how trivial it has become for a DDoS actor to launch attacks peaking above the 400Gbps mark. In fact, as Akamai’s Q3 State of the Internet report reveals (PDF), the number of attacks over 100Gbps went up 138% in the third quarter of this year compared to the same period in 2015, while DDoS attacks registered an overall increase of 71% since Q3 2015.

Related: This Web-based Tool Checks if Your Network Is Exposed to Mirai

Related: LDAP Attack Vector Makes Terabit-Scale DDoS Attacks Possible

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).