IoT, Android Botnets Emerge as Powerful DDoS Tools: Akamai

Distributed denial of service (DDoS) attacks observed during the third quarter employed familiar vectors, but a newcomer that made headlines for abusing Android devices is expected to evolve, a new Akamai report suggests.

This new threat is the Android-based WireX botnet, which managed to infect 150,000 devices within a matter of weeks, the company’s Third Quarter, 2017 State of the Internet / Security Report (PDF), points out. Distributed through legitimate-looking infected apps in Google Play, the botnet managed to spread fast and might have grown even bigger if it wasn’t for the joint effort of several tech companies.

Akamai, which was involved in the botnet’s takedown, expects WireX to persist, evolve, and flourish, the same as the infamous Mirai Internet of Things (IoT) botnet did. Highly active last year, Mirai had a much lower presence on the threat landscape during Q3, with the largest attack powered by it only peaking at 109 Gbps (gigabit per second).

Regardless, Akamai believes that organizations should be prepared for the possibility of registering much larger DDoS attacks coming from these threats. The holiday season is expected bring along incidents where new attack techniques are abused.

“The lure of easy access to poorly-secured end nodes and easily-available source code make it likely that Mirai-based attacks won’t be fading in the near future,” said Martin McKeay, senior security advocate and senior editor, State of the Internet / Security Report. “Our experience suggests that an army of new potential attackers comes online every day. Couple with that, the ubiquity of Android software and the growth in the Internet of Things are amplifying the risk/reward challenges that enterprises face to tremendous levels.”

According to Akamai’s report, the overall number of DDoS attacks observed during the third quarter of the year grew only 8% from Q2, the same as infrastructure layer (layers 3 & 4) attacks did. Web application assaults, on the other hand, continued to rise significantly (30%) on quarter and registered a massive 69% increase compared to last year, the report shows.

Attackers made heavy use of SQL injection (SQLi) during the third quarter, with the attack vector registering a 62% increase compared to the previous year, and going up 19% on quarter. This, however, isn’t surprising, considering that the latest version of the OWASP Top 10 2017 has “injection” (inclusive of SQLi) as the top ranked vulnerability category.

Reflection-based attacks registered a very small increase (4%), while the average number of attacks per target reached 36, up 13% compared to the second quarter of the year. The target hit the most was a gaming customer which Akamai says endured 612 DDoS attacks during the time frame, or 7 attacks per day, on average.

Akamai’s report also reveals a large increase (217% year-on-year) in attacks sourcing from the United States, the top source country for web application incidents. The county was also the target of the bulk of the web application attack traffic seen by Akamai during the third quarter, at 300 million (5 times the number seen in the next-highest country, Russia).

The continuous increase in DDoS attacks shows that defenders need to set up protections against this type of assaults too, in addition to keeping software and firmware updates at all times. Massive attacks such as NotPetya are proof of that, while massive cyber incidents such as Yahoo admitting that all of its 3 billion accounts had been compromised and the Equifax breach reveal that no one is safe.

“The third quarter’s headlines have illustrated the severe financial and business toll that cyber-attacks have had on businesses across many industries. With data showing that attacks are on the upswing as we head into the critical end-of-year and holiday season, the implication is clear: cyber security can only be ignored at great peril,” Akamai notes.

Related: Variant of Android WireX Bot Delivers Powerful UDP Flood Attacks

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: