Is it a SYN?

An obsession with retro clothing, cameras and luggage lingers across the UK, as an appetite for all things vintage shows little sign of fading.

Hackers and script kiddies increasingly seem to be of the same opinion: aging technology with a patina of wear is better than shiny new objects.

They’ve been turning to aging 1980s protocols to help launch DDoS attacks in recent months, according to a new report from Kaspersky.

More below.

A Distributed Denial of Service (DDoS) attack relies on multiple compromised computer systems to attack a target, such as a server or website to disrupt service or serve as a mask to hide more targeted intrusions into an organisation’s infrastructure.

Their scale has been growing extensively in recent years and efforts to improve so-called third-party amplification have taken some unusual twists.

See also: Protonmail Hit By Yet Another DDoS Attack

Third Party Amplification

Kaspersky said: “One way to increase the attack power is third-party amplification. Hackers continue to look for ways to amplify DDoS attacks through new (or well-forgotten old) vulnerabilities in widely popular software, not without success, unfortunately.”

They added: “Even before the panic over the recent wave of Memcached-based attacks had subsided, experts discovered an amplification method using another vulnerability—in the Universal Plug and Play protocol, known since 2001. It allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process.”

They added: “This time, the KDP team detected and repelled an attack with a capacity in the tens of Gbit/s that exploited a vulnerability in the CHARGEN protocol—an old and very simple protocol described in RFC 864 way back in 1983.”

Windows-based DDoS Botnet Attacks Tumble

Cybersecurity company Kaspersky also highlighted a dramatic fall in Windows-based DDoS botnets – down almost sevenfold in the second quarter of 2018 – while the activity of Linux-based botnets grew by 25 percent.

This resulted in Linux bots accounting for 95 perecent of all DDoS attacks in the quarter, which also caused a sharp increase in the share of SYN flood attacks – up from 57 percent to 80 percent, Kaspersky said.

(A SYN flood attack exploits the design of the three-way TCP communication process between a client, host, and a server; it sends a lot of SYN [synchronise] packets to the target server from spoofed IP addresses. It continues until it exhausts a server is unavailable to process legitimate requests due to exhausted resource).

The report comes 12 weeks after Europol shut down Webstresser.org, the world’s largest DDoS-for-hire service.

The portal had more than 136,000 users and had served as the source of more than four million DDoS attacks in recent years.