According to Nexusguard’s Q4 2015 threat report, attacks on Turkey skyrocketed ten-fold to more than 30,000 events per day, surpassing the thousands of attacks on other popular targets like China and the U.S. The attacks, targeting Turkish IP addresses, contributed to a big increase in DNS attacks, outweighing other popular NTP and CHARGEN methods by 183 percent.
In its analysis of the fourth quarter results, the report said, "This last quarter...started out very typical with a few thousand events per day then skyrocketed to over 30,000 events per day...targeting Turkey with DNS attacks. This can be seen with Turkcell and Turkish Telecom both the number 1 and number 2 top targets of the quarter. In these attacks it appears that statements were being made."
While the source of the attacks cannot be confirmed, Nexusguard and other security analysts can make very educated guesses as to where the attacks are coming from. The relationship between Turkey and Russia turned tense and highly political over downed planes and missiles in Syria as 2015 came to a close, which suggests this spike in DDoS attacks might have been more than an anomaly.
"It's interesting to watch the news and look behind the scenes and see these attacks occurring. They have trickled down a little bit, but it’s never slowed down. Even when we first started this project, Russia was a top target and Crimea was just flaring up," said Terrane Gareau, chief scientist at Nexusguard.
Chase Cunningham, director of cyber threat research at Armor
Though Gareau said there’s never really a fine line of evidence, he explained, "When you look at targets, you start to build a story. A lot of the geopolitical story can be understood because they are different in how they are attacked."
Trends exist in the dark net just as they do in the technology of the modern enterprise. "You start to see trends that are more meaningful—they are filled with rage or hate or patriotic pride. There is a difference in the style of attacks, in how hard they will try or the domains they will use," explained Gareau.
The recent results of Nexusguard's Q1 2016 research show that attackers have reverted back to using NTP methods more frequently than DNS, though the top three methods of attack remain NTP, DNS, and CHARGEN. The US returned to the top of the target list.
"The US is always in the top 5, usually top 3 in targets," said Gareau. Experts expect that the US will continue to see more of these exercises in political dissidence as the 2016 Presidential election continues to unfold.
Chase Cunningham, director of cyber threat research at Armor, wasn't surprised by the upsurge of attacks on Turkey at the end of the year. "Geopolitical events consistently change. Whether countries officially support or turn a blind eye to the attacker, these types of campaigns happen regularly," Cunningham said.
No country is innocent of these attacks whether it's Iran targeting financial institutions, Russia attacking Estonia or Georgia, and the US turning a blind eye to political activist like Jester, said Cunningham.
Given the ease with which they can be constructed, attackers will continue to take advantage of this digital power hold. Cunningham said, "DDoS still seems to be the number one type of attack to leverage for geopolitical. It's easy to string together a botnet or underground enterprise and bring the target to its knees for a few hours."
Leveraging public resources, said Cunningham, doesn’t take a whole lot of technical know-how. "It’s a broad use tool that anybody with enough time on YouTube," he continued.
In fact, they are so easy to leverage that Cunningham said, "I think it’s interesting that we haven’t seen more DDoS attacks during the campaign given the shenanigans." Others agreed that they expected to see more targeted underground actors trying to put out something in the media that is trying to ruin a campaign.
As 2015 came to a close, security analysts made lots of predictions about the types of attacks enterprises should expect to see in 2016. DDoS was supposed to be a lot more disruptive.
Cunningham said, "I thought 2016 would be the year for geopolitical activities but we haven’t seen much of that so far. The guys who are good are abandoning those and going deeper, using targeted malware or ransomware, moving to do things that are more malicious to give them more return on their investments."
Ryan O'Leary, vice president of threat research center at WhiteHat Security, suggested something similar in pontificating about the motivation of different attack methods.
DDoS evolved from people having fun to more targeted acts of retaliation or protest. In January," O'Leary said, "there was a well published one on Trump when New Frontier launched DDoS against him because he was overly racist."
Perhaps O'Leary is onto something and DDoS is becoming more and more popular as an attack technique to protest or retaliate. "DDoS is often used to raise awareness and protest, to say 'We brought down your site, nobody can get to you because we don’t like you.' It's a platform for activism" O'Leary said.
Whether the attacks are to raise awareness or to protest, mitigating the risks of these attacks remains incredibly challenging for security teams. "DDoS is much tougher because you have a large amount of traffic coming from a huge amount of sources, and it overwhelms the system that you are trying to filter out legitimate vs illegitimate traffic," said O'Leary.
Mat Ganger, security operations lead at Rook Security, agreed that mitigation is difficult. "In normal cases we can go to our edge and block that attacker, but when we get into DDoS or reflective, there are thousands and thousands of hosts. It’s a management nightmare," Ganger said.
Tracing back to the attacker poses another problem that is closely tied to the ease of DDoS attacks. "The problem that everyone is going to run into," said Ganger, "is that it's so hard to tie that attack back to a specific individual or country. It is almost impossible because the bots they are using are all over the globe."
Sometimes, the only way a target can respond to an attack is to wait it out. If the goal is to make a political statement, riding the wave of downtime might be the only option.