The Rise of DDoS: Flooded Networks, Downtime and How to Bolster Protection

Ransomware might be the most prevalent threat in 2021, but spare a thought for some old favorites that continue to plague our networks, especially during the pandemic. The distributed denial of service (DDoS) attack is hammering networks harder than ever.

DDoS attacks are 25 years old this year (2021). The first known attack hit Manhattan ISP Panix in 1996, knocking it offline for days in retaliation against its newly-installed anti-spam system. After that, the concept gained mainstream notoriety when Canadian teen Michael Calce, aka ‘Mafiaboy,’ launched a series of hits against large firms including Amazon, eBay, Yahoo!, Dell and CNN. After that, DDoS became a favorite tool for activists everywhere.

The motives driving DDoS attackers have changed over the years, according to Vitaly Simonovich, security research manager at cybersecurity company Imperva. “Early on, hacktivist groups with no profit agenda were often involved in launching the attacks,” he says. “Today, criminal groups have a direct monetization agenda, and it explains the rise in ransom DDoS (RDoS) attacks.”

Extortion Via DDoS

These attackers frequently hit victims with a short, sharp denial of service to demonstrate their powers. They’ll follow-up with a more protracted assault if their targets don’t pay up, explains Roger Barranco, vice-president of global security operations at content distribution network provider Akamai.

Last year, the company saw an extortion campaign targeting multiple sectors. The attackers threatened their targets by demanding payment in Bitcoin and increased the ransom if they failed to pay up by the deadline. The attackers were both sophisticated and powerful, with one attack reaching 500Gb/sec.

“What was really interesting was the upfront preparation for those attacks,” Barranco explains. “They [the attackers] knew who on the enterprise side to send the extortion letter to. Frequently, attackers don’t know that. They also did a good job of delineating what they were going to hit.”

This was one of the first groups to extend its attacks beyond public-facing websites, Barranco adds. “This time, there were instances where they actually attacked a router that was supplying internet to a company’s building.”

Akamai specializes in stopping volumetric DDoS events, in which attackers direct large amounts of traffic to a target in the hope of flooding their network and taking them offline. Attacks of this type are on the rise, warns Barranco. Last year, the company mitigated an attack that directed 1.44Tb/sec at their target, representing the highest bit-per-second rate that it had ever seen. The company noted a marked rise in attacks over 100Gb/sec in 2020, which it says correlates with the beginning of the COVID-19 pandemic.

"The distributed denial of service (DDoS) attack is hammering networks harder than ever"

Measuring the Pandemic Effect

Barranco says that it’s important not to underestimate the pandemic effect, pointing to retail as an especially vulnerable sector.

“Retailers have been so much more dependent upon their e-commerce sites during this period,” he points out. “They don’t have the brick-and-mortar retail store revenue influx they had historically, so you would see a lot more focused attacks in that area.”

The statistics bear this out. Akamai found attacks escalating during the week between Thanksgiving and Cyber Monday, which it calls Cyberweek. It’s one of the biggest online shopping weeks of the year, and the company saw a 65% increase in DDoS attacks during this week in the fall of 2020, compared to the same period in 2019.

Volumetric attacks these days make Mafiaboy’s efforts look puny. They’re still popular because they’re simple to launch, and increasingly cheap. Today’s attackers need little technical sophistication because they can rent DDoS attack infrastructure from criminal service providers who specialize in building out their capacity through botnets of infected machines.

Volumetric attacks fall into two main buckets, explains Johannes Ullrich, who heads up the SANS Internet Storm Center. The first is a simple, fast attack that bypasses filters by using a wide variety of sources. While earlier attacks specialized in infected home or business computers, things have changed in recent years thanks to the rise in connected IoT devices.

The Internet of Stings

“I think they are still probably one of the main sources of attacks. I call them the mosquitoes of the internet, because they’re everywhere and deadly,” Ullrich says of the connected cameras, routers and other small-footprint devices that make up the IoT. “They’re easy to exploit, with enough computing power to be useful as part of a denial of service attack.”

Mirai, launched in 2016, was the most infamous IoT-related attack. The Mirai malware compromised thousands of machines that suffered from the poor security protections endemic among IoT devices, including default (or absent) administrative login credentials.

Barranco says that these continue to flourish online, citing a recent DDoS attack in which over half of the originating devices were security cameras. The only saving grace for victims is that the criminal groups using them often compete to take over IoT devices. This divides their efforts, he says. If they ever collaborated en masse, the results could be catastrophic.

The second kind of volumetric attack is reflective. In this version, attackers don’t need to generate much of their own traffic at all. Instead, they get someone else’s computer to do it for them. They send a small request to an exposed server, altering their IP address in the process so that the requests appear to come from the DDoS victim. The exposed server then replies to the victim, flooding it with traffic. When using some protocols, the exposed server replies with a larger packet than the attacker’s original. This amplifies the attack, enabling the perpetrator to do more damage with less traffic.

“The one big dependency here is that you need to be able to spoof your IP address, which is more likely to work in some parts of the world than others,” Ullrich says. “The other requirement, of course, is that you need to find an exposed server that allows you to amplify these attacks, and that’s sort of where the cat and mouse game is happening, where people keep finding new protocols.”

"While earlier attacks specialized in infected home or business computers, things have changed in recent years thanks to the rise in connected IoT devices"

Application-Layer Attacks

Volumetric attacks are the weapon of choice against large backbone networks like Akamai’s, says Dr Timothy Shimeall, senior member of the technical staff with the CERT Network Situational Awareness Group at Carnegie Mellon University’s Software Engineering Institute. Those attackers focus on brute force operations at the network level. They’re also attacks that enterprises can’t deal with themselves on site. The volume of traffic is so immense that they need a backbone provider who can absorb those packets.

“An ordinary user network probably won’t see that many volumetric attacks,” he says. “It’s much more likely that you’re going to see service attacks.” Also known as application-layer attacks, these happen higher up the technology stack, targeting the applications that use the network rather than the networks themselves.

“They will take something like a large GIF file that’s on your website and just repeatedly download it so it looks, on the surface, like it’s a valid request,” Shimeall says. “Or if there’s a form that they can push to, they just repeatedly push that form.”

This kind of attack does more than simply bring specific applications to a halt, he explains; it can also disable specific resources. Directed at a firewall, an application-layer attack might force it to fail open. It could bring down an intrusion prevention system. “More sophisticated attackers have been doing that for five years or more,” he adds.

When a victim's server or network is targeted by a DDoS attack, botnets send requests to the target's IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic.
When a victim's server or network is targeted by a DDoS attack, botnets send requests to the target's IP address, potentially causing the server or network to become overwhelmed, resulting in a denial-of-service to normal traffic.

Application-layer attacks are useful as distractions, keeping IT teams busy with root cause analysis while attackers direct their real attacks elsewhere in the target infrastructure. They’re also useful in multi-tenanted cloud environments, says Ullrich, where a volumetric attack would cause too much collateral damage by taking other companies’ systems offline too and drawing the service provider’s attention.

Protecting Networks from Attack 

Protecting against DDoS attacks might seem daunting, but there are some effective measures. You can increase your resilience to volumetric attacks by working with a service provider with enough capacity to deal with the problem further upstream. You can also diversify critical services across multiple locations and perhaps service providers, says Shimeall. Load balancing between these resources spreads your risk and makes it harder for attackers to take down services by targeting a single point.

At the application layer, consider protections like rate limiting, which stops the application listening to requests that break a certain frequency threshold. You can also use captchas to stop automated activity from bots.

As with any toxin, though, prevention is better than cure when protecting yourself against DDoS attacks. “Organizational barriers come into play where you get people that are trying to put the defenses on the front door, only to have other parts of the organization open up the backdoor,” Shimeall warns.

He points to employees in a company that introduce ad hoc weaknesses in the system for convenience as a common problem. So it’s important to conduct regular security audits to check that you’re handling basic cybersecurity hygiene tasks like software patching, he advises.

DDoS attacks are not going away soon, and companies would do well to bolster their protections through a smart mixture of application-layer protections, network design and partnerships with savvy service providers.

Like any online threat, these attacks are easy to ignore when there are other more pressing issues to deal with. However, when you have 500Gbps of traffic knocking at your front door – or a sneaky low-and-slow attack that misdirects your IT team – you’ll wish that you’d paid this venerable old cyber-threat some closer attention.

What’s Hot on Infosecurity Magazine?