DDoS attacks is relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemesis.
Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.
Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.
However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks.They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.
“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing and the landscape is moving quickly.” Terabit Era DawnsOne of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS,NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub ―setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.
The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers ― by as much as 51,200x. That in turn means that malefactors can use fewer resources. For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.
Click to Zoom
The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.
“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature it just goes away. So, it’s not as scary as it seems.”
However, criminals are almost certainly looking for the next major reflector source.
“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”
He added that the implications of being able to reach such dizzying attack heights could be profound going forward.
“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay . “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”
This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows easily overwhelming the fiber’s capacity and knocking the country offline.
Rising SophisticationWhile big, splashy volumetric attacks make headlines, the reality is that smaller, more sophisticated attacks are perhaps the greater concern.
“DDoS has historically been pretty unsophisticated it doesn’t require a closed-loop response where you steal data and need to get it back to you,” said Sean Newman, director of product management at Corero Network Security. “Typically, you just send out the traffic to a pipe with the goal of filling it up. But, what we’ve seen recently is that those very large unsophisticated attacks [now] represent a small proportion of the [campaigns] that go on. Across all the DDoS efforts that we see, the majority, just over 70 percent, are [now] less than 1 GB in size. And that’s because the attackers are moving away from using simplistic brute force, to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure-based (i.e., volumetric) and application-based payloads; application-layer attacks in particular are sneakier and can be very targeted, researchers said.
Rather than just look to overwhelm a company’s broadband connection or DNS infrastructure, as was the norm in the past, application-layer attacks focus on one aspect of the target’s communications, such as, say, a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.
“Attacks use just enough traffic to be successful,” Chong explained. “Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so you don’t need a 1-terabit attack to be effective. These are small, specially crafted campaigns where threat actors first examine where a service is hosted, such as a data center, in the cloud or at a hosting provider and then they launch a small attack that just overwhelms the limits of the target’s bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic’s volume is close in size to the normal traffic going into that enterprise.”
An example of this is the attacks mounted during protests in the wake of the 2009 Iranian presidential election. That’s when several high-impact and relatively low bandwidth efforts were launched against Iranian government-run sites. Since then, the method has gained popularity. Meanwhile, the large, “big-bang” efforts that still make up 30 percent of the campaigns seen in the wild are sometimes used as a distraction, Chong added, acting as a smok