>>Kicking things off for Netscout's latest threat intelligence reports. I'm Lisa Martin with Richard Hummel manager of threat intelligence at NetScout. We're going to be talking about DDoSs for hire. It's a free for all Richard, welcome to the program. >>Thanks for having me. At least that's always a pleasure to do interviews with you here on acuity. >>Likewise. So, which are the dark web is a dangerous place. We know that we're adversaries own and operate DDoS for hire platforms and botnets to launch everything from free tests to high powered multi-vector attacks. What did you find? What kind of attacks are being launched on the dark web, >>Sadly, any and every type of attack you. And I think you put it eloquently that it's free a little while ago. I got a question come in from a media journalists that I was talking to and they asked me what is the average cost of a DDoS attack? And my gut reaction was mad, 10, 20 USD. I even asked another reporter later on, what do you think it costs? And he came out with two or 300 USD. And so that was kinda my expectations. Well, just because of that question, I broke up my lab and I said, you know what? I'm just going to kind of sleuth a little bit. And so I started logging in, I started looking at these underground platforms and I spend time on 19 of hundreds. There's a website out there that lists all with like three or 400 of these things, but I just chose the top 19. >>And when I started looking at these, every platform that I evaluated had some form of free attacks during launch. And these are the typical for your five attacks like NTP, cl doubt, DNS amplification. These are the, the rope or routine types of attacks we see in the DDoS threat landscape and it's free. And then it scales from there. You have $5 entry fees to do trials. You have a week trial, you can go all the way up to 6,500 USD. And the adversary reports to launch one terabit per second attack with that costs. There's another one that says, Hey, we have 150,000 button-up nodes. He has $2,500, and then you can launch it from this platform. And they also have customization. They have these little sliders on there. You can go in and say, you know what? I have five targets. I want to launch 10 attacks at once. I want it to last this many minutes. These are the vectors I want to use. And then it just tells you here's what you got to pay. Now, it used to be, you needed to have a crypto wallet to even launch a DDoS attack. Well, that's no longer the case. Second. It used to be crypto currency. Well, now they take PayPal. They take wire transfers. They do Western union transfers. And so yeah, this barrier to entry, it doesn't exist anymore. >>Wow. The evolution of data also attacks the low barrier to entry. The customization. You mentioned that you researched the top 19 validated DDoS for hire services. You guys captured the types of attacks, reported number of users and the costs to launch what you went through. What are some of the things that really stuck out to you that you found? >>I think the biggest thing, the biggest outlier that I saw with a lot of these things is that this, the sheer amount of attacks or tech types that they purport to launch that combined with one other metric that I'll, I'll tell you in just a minute. But when I started adding all of these out, I came out with a list of something like 450 different line items. This is taking the attack types from all 19 of these platforms and putting it into a spreadsheet. And then when I actually got rid of the duplicates and I started looking at each one of these to see, did they call it this? And then this one called it, this, there was still 200 different types of attacks. And these attacks are not just your typical volume metric things or your typical like botnet net related things. I mean, they're going after applications. >>They're going after capture pages. They're going after some website based anti DDoSs stuff. They're going after specific games, grand theft, auto Counter-Strike, all of these things. And they have specific attacks designed to overwhelm those layers. And you can actually see in some of the, the, the news or the update boxes they have on their platforms that they put rolling updates similar to like what you would see with Microsoft update. Here's what changed. And so they'll list, oh, we added this capture bypass, or we tweak this bypass, or guess what? We added a new server. And now you have this, this more power to launch bigger attacks. The other thing that really surprised me was the sheer number of users and attacks that they put for it to have and have launched. So across these 19 platforms, I counted over 1 million registered users. Now it could be that multiple users are registered across multiple platforms. >>And so maybe that's a little redundant, but a million or 19. And then the attacks, just whatever they showed in their platform. Now, I don't know what time segment that says it could be all time. It could be a certain snapshot, whatever, 19 of several hundred of these things, more than 10 million attacks. Now, if we look at 2020, we saw 10 million attacks on the whole year, 2021, we saw 9.7 million. So you can just see it. I mean, we're not seeing the whole breadth of the threat landscape. We see about a third probably of the world's internet traffic. And so if what they say is true, there's a lot more attacks out there than even. We talk about >>A lot more attacks than, than are even uncovered. That's shocking. The evolution of DDoSs is, is also quite shocking. One of the things I noticed in the first half 2021 threat intelligence report that NetScout published was some of the underground services offer blacklists or delisting services to prevent attacks. And I thought that sounds like a good thing, but what does that really mean? >>So actually, when we were writing the last chart report, a colleague of mine role in Dobbins had actually talked about this and he's like, Hey, I saw this thing where it's this quasi illegal organization. And they were talking about listing you as this. And they actually turn around and sell these lists. And so I started researching that a little bit. And what it turns out is these organizations, they report to be VPN services. Yeah. And they also say, you know what, we're offer these kinds of lists or block lists. We offer this VPN service, but we are also collecting your IP address. And so if you don't want us to basically resell that to somebody else, or if you want us to add that so that people can attack you based on what they're seeing on the VPN, then you can pay us money and you can do like different tiers of this. >>You can say, block me for a week or a block me for a lifetime and all of these different platforms. I wouldn't say all of them, probably four of the 19 that I looked at had this service. Now as a user, I'm not going to go to every single DDoS for hire platform. I'm not going to purchase the VPN from every single one of these. I'm not going to go and add myself to their denialist across all of these things. That's, that's kind of way too much work for one. And the cost is going to be in the thousands, if not tens of thousands, as you start to add all of these things together. And so they, they report to do something good and in turn, take your information and sell it. And what's worse is they actually assign your username or your handle or your gamer tag to that IP address. >>And so now you have this full list of IPS with gamer tags. And so an adversary Alto that has no qualms or scruples about launching DDoS attacks can then purchase that list. And guess what, Hey, this, this gamer over here who has this gamer tag, he always tells me I don't, I don't want to face them anymore. So anytime I see him in a match, I'm going to go over here to this DDoS for hire platform. And I'm going to just launch attack against him, try to knock them off of them. And so that's the kind of shady business practices that we're seeing here in the underground forums. >>Well, I knew that wasn't a good, I knew that you would actually give me the skinny on what that was. So another thing that I was wondering if it was a good, you know, despite this, you talked about the incredible diversity of these platforms, the majority of attack types that you sign are recognized and mitigated by standard defensive practices. Is that another good, bad disguise as good? >>No, in this case, it is very much good. So I, as far as I've seen, there's not a single DDoS attack type from a Google stressor service to date that you can't mitigate using preparation and your, your typical DDoSs platforms, mitigation protection systems. And even, even the bandwidth, the throughput, what some people call the size or the speed of attacks. We don't really see anything in the terabit per second range from these services. Now they'll, they'll boast about having the capability to do X number of packets per second, or this size of an attack. And so some of them will even say that, Hey, you pay us this money and we're going to give you a one terabit per second attack to date in the four years that I've been here on NetScout. And even some of my colleagues who've been around the space for decades. >>They have yet to see an attack source from one of these details for higher platforms that exceed one terabit per second in bandwidth or volume. And so they might talk a big game. They might boast about these things, but oftentimes it's, it's smoke and mirrors. It's a way to get people into their platforms to purchase things. If I had to pick kind of an average volume or size of attacks for these beer stressors on the high-end, I would say around the 150 to 200 gigabit per second. Now they're a small organization that might seem huge, but to a service provider, that's, that's probably a drop in the bucket and they can easily saturate that across their network, or observe, absorb that even without the top of the line mitigation services. So just being able to have something in place, understand how adversaries are launching these attacks, what attack vectors they are, you know, do some research. >>We have this portal called ominous threat horizon, where you can actually go in there and into your industry segment and your country. And you can just look to see, are there attacks against people like me in my country? And so, but understanding if you are the target of attacks, which it's not, if it's a win, then you can understand, okay, I need to probably have provisions in place for up to this threshold and ensure there's a tax that will exceed that. But at least you're doing due diligence to have some measure of protection, understanding that these are the typical kinds of attacks that you can expect. >>Yeah. That due diligence is key. Richard, thanks for joining me talking about DDoSs for hire a lot of interesting things there that was uncovered in a moment. Richard and I are going to be back to talk about the rise of server class bot net armies.

>>The pandemic saw a majority of employees working remotely, as we all know, and the world turning to digital services, which caused an uptick in cyber attacks because almost all business was conducted virtually well, the unprecedented events of 2020 led to an enormous and extended upswing in innovation for threat actors. And it's not going away anytime soon. This is according to our colleagues at NetScout and an excerpt from its first half 2021 threat intelligence report. And this event, we're going to unpack Netscout's semi-annual security report for the second half of 2021, which outlines how and why these attacks are carried out and what individuals and businesses can do to prevent attacks. Now, one of the things that NetScout discovered in the second half threat intelligence report is that these cyber attacks, they're not motivated by a single factor on notable example of a recent attack just last month, where government and private websites in Ukraine were knocked offline in a massive distributed denial of service DDoSs attack. >>As Russian troops moved into contested areas in the east of the country. My name is Lisa Martin. And today on this special Q presentation, Richard Hummel joins me manager of threat intelligence at NetScout. He and I are going to explore three of the key findings in the second half of 2021 threat intelligence reports. In the first segment, Richard's going to talk with me about the dark side of DDoS for hire. And one of the things that you're going to learn is that launching DDoS attacks with illicit DDoS for hire services no longer requires a nominal fee in segment two. Richard's going to talk to me about the rise of server class bot net armies. And as Richard will discuss recently, adversaries not only increased the size of IOT botnets, but also conscripted high powered servers into larger button nuts. Then we'll come back for a third and final segment to discuss the vertical industries where attackers really zeroed in for DDoSs attacks in the second half. And here Richard's going to explore some of the verticals that haven't traditionally been in the crosshairs, such as a software publishers and computer manufacturing. All right, guys, let's do this. Here comes our first segment.