ARBOR INSIGHT
DoS is a malware
D
problem.
2.
DDoS malware
is prolific.
3.
DDoS malware
is cheap.
4.
DDoS malware is
easy to detect—at
the beginning.
The rise of hacktivist groups like “Anonymous” has increased
awareness about security attacks that threaten corporate
integrity and availability. But how much do you really know?
The media often focuses on the consequences of the security event, such as the cost,
the information that was lost, etc. While understanding the consequences is critical for
negotiating budget, it often glosses over the real problem—the attacks themselves. By
understanding the key drivers of security attacks, overwhelmed security administrators
are better armed to tackle these threats. We’ve pulled together four surprising things
about DDoS malware.
1. DDoS is a Malware Problem
Distributed denial of service or “DDoS” became a common industry term in the early
2000s when high-profile organizations were taken offline by large volumes of traffic
that overwhelmed Web servers causing them to shut down. The media attention on these
attacks has shaped common notions of what DDoS is. New techniques are being used
for DDoS, including “low and slow” application-layer attacks aimed at evading perimeter
security devices and techniques like phishing to install malware on victims’ systems.
High volume “flood” attacks are still common, but attackers have moved on to more
diverse techniques.
of Largest
Reported
Attack
(Gbps)
Size ofSize
Largest
Reported
DDoS DDoS
Attacks
(Gbps)
325
<1
2002
1 2003
300
3 2004
275
Gbps
1.
Four Things About
DDoS Malware That
Will Surprise You
10 2005
250
17 2006
225
24 2007
200
40 2008
49 2009
175
100 2010
150
60 2011
60 2012
125
309 2013
100
75
50
25
0
Source: Worldwide Infrastructure Security Report, Arbor Networks
Source: Arbor Networks, Inc.
ARBOR INSIGHT
In the Arbor Networks® ninth annual Worldwide Infrastructure Security Report, respondents
are seeing more complex attacks—such as botnets or malware in conjunction with DDoS.
Essentially, attackers use malware to access the network and amass zombies that can be
controlled (or sold) for use in DDoS attacks. Examples of this type of attack are the Zero
Access and Carberp botnets, both of which include a DDoS plug-in.
2. DDoS malware is prolific.
Attacks like Brobot, DirtJumper and LOIC get a lot of media attention, so this point seems
obvious. However, these stories are only covering attacks on high-profile organizations
or those that caused significant damage. The reality is that most of these attacks aren’t
covered in the media.
ATLAS ® is a collaborative effort
with nearly 300 ISP customers
who have agreed to share anonymous traffic data with Arbor,
together with data from Arbor
dark address monitoring probes,
as well as third-party and other
data feeds. By participating in
ATLAS, the ISP gains visibility
far beyond the borders of their
own network, across the Internet
itself. With this unique vantage
point, Arbor is ideally positioned
to deliver intelligence about
malware, exploits, phishing and
botnets that threaten Internet
infrastructure and services.
The Arbor Security Engineering & Research Team (ASERT) is dedicated to finding DDoS
and botnet attacks. Each day, this team receives hundreds of thousands of malware and
other malicious IPs from third parties as well as from ATLAS. The team has uncovered
and categorized more than 360 malware families that include a DDoS element. When
you consider that a malware family can include multiple varients and access methods,
the overall number of these attacks is staggering. Arbor Networks provides protection
for all of these families (and attacks) via the ATLAS® Intelligence Feed.
3. DDoS malware is cheap.
This might seem counterintuitive, since the consequences of DDoS malware can be
financially devastating. However, these attacks are inexpensive (or in some cases free)
to deploy. Would-be attackers can rent attack toolkits for a few thousand dollars and/or
purchase malware code for a few hundred dollars. In fact, malware production has become
so commoditized that in some cases—such as some Chinese language malware forums—
malware code can be downloaded for free. This is in addition to other freely available tools
like LOIC and HOIC. Inexpensive malware has made it easier to use DDoS for activities
such as competitive takeouts or grassroots organizations proving a point.
4. DDoS malware is easy to detect—at the beginning.
In many cases, the original malware that initiates DDoS activity is relatively easy to
detect with up-to-date antivirus signatures. However, if the malware makes its way into
your network, identification is trickier. In these cases, the DDoS plug-in will encrypt itself,
bypass your detection controls, decrypt and put itself into the system’s memory. At this
point, it becomes extremely difficult to uncover.
The Arbor Platform
Corporate Headquarters
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free USA +1 866 212 7267
T +1 781 362 4300
North America Sales
Toll Free USA +1 855 773 9200
The Pravail ® platform from Arbor Networks provides the enterprise with more comprehensive protection from multi-stage, multi-vector attacks like DDoS malware. Pravail®
Availability Protection System appliances monitor and block DDoS and botnets that
are trying to take your network offline. At the same time, Pravail® Network Security
Intelligence software and appliances are scouring your network to uncover and catalogue
activities that indicate malware infection. All Pravail products use security research feeds
from ASERT to help maintain the most up-to-date protection against the latest DDoS,
malware and botnet threats.
For more information on how Pravail helps you address DDoS malware, please visit
www.arbornetworks.com/products/pravail.
Europe
T +44 207 127 8147
Asia Pacific
T +65 68096226
www.arbornetworks.com
©2014 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, Pravail,
Cloud Signaling, Arbor Cloud, ATLAS, We see things others can’t.™ and Arbor Networks. Smart. Available. Secure.
are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.
AI/4THINGS/EN/0814-LETTER