The security company expects these attacks to keep rising through the end of the year.
Q3 beat every record in terms of daily number of DDoS attacks, according to a new report from Kaspersky. On August 18, Kaspersky observed 8,825 attacks, with more than 5,000 on both August 21 and 22. The total number of DDoS attacks was up 24% compared to Q3 2020 while the number of advanced, "smart" attacks was up 31% over the same time period.
Kaspersky defines a smart DDoS attack as one that is often targeted and used to disrupt services, make resources inaccessible or steal money.
Alexander Gutnikov, a security expert at Kaspersky, said in a press release that the crypto mining and DDoS attack groups have been competing for resources over the last few years. He saw a decline in DDoS attacks as cryptocurrency gained in value, but now bad actors are redistributing resources.
"DDoS resources are in demand and attacks are profitable," he said. "We expect to see the number of DDoS attacks continue to increase in Q4, especially since, historically, DDoS attacks have been particularly high at the end of the year."
Kaspersky's report also described Meris, a new DDoS botnet discovered in the third quarter. Yandex and Qrator Labs first reported this new threat that is powered by high-performance network devices. It uses HTTP pipelining to allow multiple requests to be sent to a server within a single connection without waiting for a response. One DDoS attack attributed to Meris sent 17.2 million requests per second but went on for less than a minute.
Security researchers Alexander Gutnikov, Oleg Kupreev and Yaroslav Shmelev wrote the Q3 report and explained two new threats. Researchers at the University of Maryland and the University of Colorado Boulder figured out how to spoof a victim's IP address over TCP. This new attack aims at security devices situated between the client and the server, including firewalls, load balancers, network address translators and others.
Nexusguard described another new type of attack that can target any network device. The bad actor sends requests to closed ports on devices in a communications service provider network under the disguise of other devices in the same network. Processing these messages consumes a lot of resources and can overlap the device and stop it from accepting legitimate traffic. Attackers can use this tactic to take down a provider's entire network, not just an individual server.
Other findings from the Q3 report include:
40.80% of DDoS attacks were directed at U.S.-based resources.
Most DDoS attacks took the form of SYN flooding.
Most of the botnet C&C servers were in the U.S. (43.44%).
Most of the bots attacking Kaspersky honeypots operated from China.
Kaspersky experts offer these recommendations to strengthen defenses against these attacks:
Maintain web resource operations by assigning specialists to respond to DDoS attacks.
Validate third-party agreements and contact information, including those made with internet service providers.
Establish typical traffic patterns and characteristics to make it easier to spot unusual activity related to a DDoS attack.
Have a restrictive Plan B defensive posture ready to rapidly restore business-critical services during an attack.