Bad bots: DDoS attacks spike in first quarter, outdoing all of 2011

Distributed denial-of-service (DDoS) attacks, the coordinated attacks by armies of (usually hacked and remote-controlled) PCs against websites and other online services, are like part of the Internet’s weather. And in the past, DDoS attacks were like hurricanes—they peaked and ebbed with a fairly specific seasonal pattern. The more publicly visible attacks of groups like Anonymous tend to chase headlines, and are less predictable. But the less visible ones—motivated by money rather than politics—tend to peak during the holiday shopping season, when the potential losses from having a website go down are the greatest, and companies are most likely to cave to extortion demands.

But that hasn’t been the case so far this year, according to a report by website security firm Prolexic. The number of denial-of-service attacks in the first quarter of 2012 grew 25 percent compared with the same period of 2011, and was nearly equal to the number in the last three months of last year. Not only has the number of DDoS attacks not dropped from its seasonal high, but the volume of junk traffic being created by them has spiked dramatically—the company reports that it has fended off more malicious traffic in the first three months of 2012 than it did in all of 2011—9.5 petabytes of raw data, and 408 trillion network packets.

The report, based on forensics and post-attack analysis by Prolexic’s Security Engineering and Response Team, also found that attackers are shifting to new platforms as well, increasingly creating botnets that exploit browsers, Mac OS X, and mobile phone platforms to generate their traffic. The data points to a change in focus and strategy by denial-of-service attackers as the key driver for the leap in DDoS attacks.

Part of the reason for the sustained number of attacks so far this year is that attackers have shifted their attention to vertical industries less dependent on the seasons than retail. Neal Quinn, Prolexic’s vice president of operations, said that the first three months of 2012 were “characterized by extremely high volumes of malicious traffic directed at our financial services clients”—a volume that, as shown in the infographic from Prolexic below, dwarfed what they faced in all of 2011 by orders of magnitude. “We expect other verticals beyond financial services, gaming and gambling to be on the receiving end of these massive attack volumes as the year progresses,” he added.

Most of the DDoS attacks on Prolexic’s clients in the first quarter of the year—41 percent of them—happened in January, with another big peak during the week of February 11-19. Quinn said in a phone interview with Ars that there wasn’t any specific event related to the peaks in attacks—they were spread across “a relatively broad distribution” of Prolexic’s customers. The spikes did correspond with some more public and politically motivated attacks early this year, including DDoS attacks on Facebook by factions of Anonymous and politically motivated attacks against financial institutions in Israel, Saudi Arabia, and the United Arab Emirates, but those didn’t factor heavily into Prolexic’s numbers.

And where do these attacks come from? While it’s difficult to attribute attacks to specific sources, compromised computers in China were the leading point of origin of attacks against Prolexic’s customer base, both in terms of individual computers involved and the volume of traffic sent from them. That finding was based on forensic analysis of malicious traffic recorded from 2.9 million IP addresses in the first three months of 2012.