Throughout the last year security analysts all over the world discovered a number of new botnets which not only drive traffic to the target application server to engage bandwidth, but places the best possible request automatedly to the application itself so to engage maximum possible server resources with minimum number of terminals. The aim of such intelligent botnets has been to be identified DDoS traffic as actual users so to make the DDoS protection engine unable to distinguish between actual traffic and malicious traffic.
One of such intelligent bot is Chalubo, which first detected in August,2018, began to be seen more often in the wild. Although it uses same persistence techniques as in the Xor.DDoS bots family, Chalubo is mostly a fresh product designed solely for DDoS attacks. Security researchers detected separate versions for different architectures such as x86, x86_64, PowerPC etc. This suggest that the trial period for the bot is now over and it is ready to be deployed to mount mass attack.
Another bot nicknamed DemonBot got into the limelight for hijacking Hadoop clusters by exploiting a vulnerability in the execution of YARN remote commands. Because it has been designed to handle BigData, Hadoop clusters are capable of consuming massive computing power. Thats why, though DemonBot is believed to be technically not so complex but dangerous when it comes to choice of target. It is not only compatible with Hadoop, but also with most IoT devices which makes it easy to be targeted to numerous targets.
During last October, for the first time details of Troii botnet was published by Avast which they detected a month earlier. Troii is targeted at a wide range of IoT devices and networks. The malware used by Troii bot is better hidden with a higher level of persistence, and thus promises to be far more dangerous. The malware is believed to be intelligent enough to to dig and delivered detailed information about the infected device to its C&C server. No DDoS attack by Troii has been detected so far, however experts believe one should be on the way sooner than anticipated.
Not only new botnets but new attack mechanisms are also on the way to raise the threat level. During last couple of months of 2018 it has been detected that FragmentSmack is more widely deployable than it was previously anticipated. FragmentSmack is a flaw in Linux kernel which handles reassembly of IPv4 and IPv6 packets. The attacker exploiting FragmentSmack, dispatching packets to be disguised as fragments of a large message. The server under attack try to gather the fragments into one and end up building a never ending stack which blocks 100% computing power and making it unavailable to handle legitimate requests. FragmentSmack earlier was believed to be a vulnerability in Linux systems only, however security researchers newly found that the same vulnerability works fine for different versions of Windows and atleast 90 Cisco products.
Overall in 2018, relatively simpler means of DDoS attacks have seen a downward trends as those are being rendered as pointless by improved anti UDP and SYN flood protection. Over 90% of such attacks have ended within 5 minutes, which is simply believed to testing the water; and once found the target is protected or the attack is ineffective, the attacks have been called off. However at the same time more complicated attack techniques such as HTTP flooding in conjunction with exploitation of application layer vulnerabilities is increasing both in terms of attack volume and duration. So it can be concluded that moving forward from this point relatively simpler DDoS attacks will be replaced by more sophisticated and target oriented assaults which requires greater time and resources to be organized but have a far better success rate.
If your web application still remains unprotected, it may be the best time to seek professional opinion. In case you would be interested in consulting possible protection mechanism, La Manguste’s consultants are just a call or message away.