CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



DDoS Threat Increases While Mirai Becomes ‘Pay-for-Play’

The DDoS threat is increasing again. Pbot can generate 75 Gbps from just 400 nodes and Mirai has been commoditized. However, despite the growing number of attacks, the overall trend seems to be for more frequent, smaller attacks. These are the primary takeaways from a new Q2 study into internet traffic.

The DDoS threat is increasing again. Pbot can generate 75 Gbps from just 400 nodes and Mirai has been commoditized. However, despite the growing number of attacks, the overall trend seems to be for more frequent, smaller attacks. These are the primary takeaways from a new Q2 study into internet traffic.

Akamai Technologies, a Cambridge, Mass.-based content delivery network (CDN) and cloud services provider with more than 233,000 servers in over 130 countries, has published its Q2 State of the Internet report (PDF). The report comprises analyses of attack data seen across this network. It shows that DDoS attacks have increased by a massive 28% over the previous quarter.

Within this statistic, infrastructure layer (layers 3 and 4) attacks have risen by 27%; reflection-based attacks have risen 21%; and the average number of attacks per target has increased by 28%. Gaming sites are frequent targets, accounting for 81% of all volumetric DDoS attacks monitored by Akamai.

While the average number of attacks per target rose to 32 over the period, one gaming site suffered 558 attacks, averaging six per day throughout the period.

The final months of 2016 were notable for the largest DDoS attacks ever seen; but the current trend, suggests the report, is for smaller attacks. This is despite the continued availability of the Mirai botnet, and the use of Pbot malware to create mini-DDoS botnets able to generate a 75 Gbps attack from just 400 bots. Pbot’s power comes from infecting webservers able to create more traffic per node than, say, Mirai’s infection of large numbers of small IoT devices.

“We know that massive DDoS attacks are possible,” says the report, “but could this be a new trend going forward? Have DDoS attackers taken to more subtle, targeted attacks to avoid drawing attention?”

This possibility is given extra weight by the evolving nature of Mirai attacks. Akamai was one of the first Mirai targets in Fall 2016, and has continued to be a target. This long-standing adversarial relationship has allowed Akamai to study Mirai in some depth.

Akamai DDoS report

Mirai is often thought of as a single massive network of bots. In reality, says Akamai, “it is more akin to smaller hives of related bots and C&Cs.” An analysis of different Mirai C&Cs shows that parts of Mirai are used to attack different targets, with some C&Cs attacking multiple targets, and others attacking a single target.

Advertisement. Scroll to continue reading.

“At least one botnet operator was offering access to the systems under its control for rent,” notes Akamai, “which may explain why some botnets attacked such a large number of IP addresses.”

Akamai says it will continue its research into and analysis of Mirai, but for now notes that it appears to be contributing to the commoditization of DDoS. The large number of different attacks emanating from single C&Cs can be considered as ‘pay-for-play’ attacks — they were seen attacking IPs for a short duration, going inactive, and then re-emerging to attack different targets.

The report also notes that DNS traffic analysis can be used to passively locate the likely incidence of malware infections. Ever since Conficker, malware has been using domain generation algorithms (DGAs) to hide their C&C infrastructure. These DGAs generate many pseudo-random IP addresses every day. The attacker needs to choose only one of the expected domains and register it ‘just in time’, and then abandon it after use. The malware, however, doesn’t know which is the correct IP to contact, and cycles through the possibilities until it finds the right one.

Akamai analyzed the traffic of more than 2.5 million connected networks. One hundred and forty were known to be infected with malware. “When looking at the average number of unique domains accessed per hour,” notes the study, “we saw that infected networks had approximately 15 times the lookup rate of a clean network.” This is explained by the malware trying to access the DGA-generated IPs. “Since most of the generated domains were not registered, trying to access all of them created a lot of noise.”

DNS monitoring is thus a potential method of breach detection. “Security defenders are advised to make certain they are using a combination of security monitoring products that include DNS monitoring,” concludes Akamai. “Having visibility into different areas of the enterprise network will increase detection and reduce risks. For the best defense, security controls should also be in place on endpoint devices and the inner network, not just Internet connectivity.”

Related: Pulse Wave DDoS Attacks Disrupt Hybrid Defenses

Related: North Korea’s DDoS Attacks Analyzed Based on IPs

Related: Don’t Be In Denial About DDoS

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.