DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemeses.
Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.
Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.
However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.
“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”
Terabit Era Dawns
One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.
The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources. For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.
The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.
“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature – it just goes away. So, it’s not as scary as it seems.”
However, criminals are almost certainly looking for the next major reflector source.
“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”
He added that the implications of being able to reach such dizzying attack heights could be profound going forward.
“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay. “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”
This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows – easily overwhelming the fiber’s capacity and knocking the country offline.
Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.
Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.
However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.
“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”
Terabit Era Dawns
One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.
The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources. For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.
The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.
“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature – it just goes away. So, it’s not as scary as it seems.”
However, criminals are almost certainly looking for the next major reflector source.
“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”
He added that the implications of being able to reach such dizzying attack heights could be profound going forward.
“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay. “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”
This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows – easily overwhelming the fiber’s capacity and knocking the country offline.