They may have grown in sophistication, with more widespread consequences, yet today’s distributed denial-of-service attacks can still be fought with conventional tools.
Distributed denial-of-service (DDoS) attacks that take down online systems are nearly as old as the public Internet. But over the years, they have morphed and evolved into larger and more destructive forms — increasingly focused on monetization. Today, as organizations expand partnerships and supply chains — and with employees working from home due to the pandemic — the stakes are higher than ever.
“DDoS attacks have grown in sophistication as well as in bandwidth and throughput,” says Roland Dobbins, principal engineer for network performance firm NetScout. “We see new DDoS vectors discovered or developed by more skilled attackers, more rapidly weaponized, incorporated into DDoS-for-hire services, and made accessible to anyone who can click a mouse and is intent on wreaking havoc.”
However, the fundamental techniques used to deliver a DDoS attack haven’t changed much, adds Carlos Morales, CTO at network analysis and cybersecurity firm Neustar.
“But how they are used and how well they can be customized to the victim certainly has,” he says.
For example, dozens of Mirai variants have resulted in millions of Internet of Things (IoT) devices being compromised and used to generate botnets, along with mature booter and stressor services, he notes.
Yet, contrary to popular belief, today’s DDoS attacks are neither particularly surgical nor precise. In many cases, the collateral impact is greater than the damage to the intended target.
“Shared Internet infrastructure, cloud resources, supporting ancillary infrastructure such as DNS servers, and bystander traffic are examples of resources that can be disrupted by DDoS attacks, thus greatly magnifying their impact,” Dobbins explains.
How Attack Methods Have Changed
The idea of monetizing DDoS attacks dates back to the 1990s. But the rise of DDoS-for-hire services and cryptocurrencies has radically changed things.
“It’s never been easier for non-specialists to become DDoS extortionists,” Dobbins explains.
This has led to a sharp uptick in well-organized, prolific, and high-profile DDoS extortion campaigns. Today, cybercrime groups deliver ransom demands in emails that threaten targets with DDoS attacks. Most of these are large attacks above 500 gigabytes per second, and a few top out at 2 terabytes per second. Ransom demands may hit 20 Bitcoin (approximately $1 million).
Attacks that revolve around ideological conflicts, geopolitical disputes, personal revenge, and other factors haven’t disappeared. But the focus on monetization has led attackers to increasingly target Internet service providers, software-as-a-service firms and hosting/virtual private server/infrastructure providers. This includes wireless and broadband companies.
“We’ve seen the DDoS attacker base both broaden and shift toward an even younger demographic,” Dobbins says.
According to Neustar’s Morales, reflection and amplification attacks continue to be the most prominent because of their inherent anonymity and ability to reach very high bandwidth without requiring a lot of attacking hosts. Applications susceptible to a reflection attack are routinely discovered.
“So there are now dozens for attackers to choose from, although DNS and TCP SYN reflection remain the most impactful because they cannot be easily filtered,” Morales notes.
In July 2020, the FBI issued an alert that attackers are using common network protocols like ARMS (Apple Remote Management Services), WS-DD (Web Services Dynamic Discovery), and CoAP (Constrained Application Protocol) to initiate DDoS reflection and amplification attacks. However, the agency cautioned that disabling these services could cause a loss in business productivity and connectivity.
Attackers are doing more reconnaissance while ratcheting up the number of attacks.
“We have seen a sharp increase in the number of attack vectors per attack and the targeting of attacks to a customer’s specific environment,” Morales says.
In September 2020, Neustar reported that 4.83 million DDoS attacks took place in the first half of 2020. This represented an increase of 151% over the same period from 2019. Incredibly, one attack lasted five days and 18 hours.
Mitigating an Attack Is Complicated
Conventional tools for battling DDoS attacks are particularly effective in the current environment. The complex and highly distributed nature of today’s botnet attacks combined with huge traffic volumes and spoofed data make it difficult, if not impossible, to trace the source. For instance, botnets connected to a command-and-control (C&C) system can be located anywhere, and many device owners aren’t even aware that their device has been compromised.
Internet-facing servers that inadvertently respond to spoofed requests further complicate things.
“The actual attackers may connect to the C&C layer, but may do so over anonymous proxy networks like TOR,” Morales explains.
As a result, organizations must work with a DDoS mitigation provider that has deep visibility into IT and Internet infrastructure — and can collaborate with peers, customers, and transit providers to further trace spoofed DDoS attack traffic.
Flow telemetry-based monitoring and analysis is typically used to detect, classify, and trace back DDoS attack traffic to its point of origin. It can identify bot behavior at the peering, customer aggregation, and/or transit edges, Dobbins notes. It’s critical to ascertain whether an attack is taking place based on known patterns or whether there’s simply a big uptick in legitimate traffic. Once there’s an understanding of the attack pattern, the provider can use tools to filter and drop malicious bot traffic, intelligently route traffic, and adapt the network to better analyze traffic by looking for specific clues, such as threatening IP blocks or the point of origin.
Preparation is key, Dobbins says. This includes having a holistic DDoS defense plan in place, keeping it updated, and testing the framework at least once per quarter. A service provider must have the tools, expertise, and scale to detect and analyze an attack and automate the response, including managing ancillary services such as DNS.
After an attack, it’s wise to conduct a postmortem and understand what went well and what could be improved. It’s also important to report an incident to the FBI or other relevant law enforcement agency — even if it’s not a legal requirement.