Changing Face of DDoS and Threats to the Web Application Layer

We often hear of disruptors in a positive light; innovative businesses that change the way we work, live and play for the better. But what happens when that disruptor is quite literally, disruptive? In 2016 the internet was brought to a standstill by a new type of malware called Mirai, which was used in a series of major DDoS attacks around the world.

Unlike the average botnet, Mirai was largely made up of IoT (internet of things) devices with lax security protocols, giving it the ability to involve over 100,000 malicious endpoints. 

This resulted in disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, over 2,400 TalkTalk routers in the UK, and over 80 models of home security cameras globally. That’s not to mention the whole raft of high-profile websites such as Twitter, AirBnB and Netflix, that became inaccessible in the course of the attack, buckling under the volume of traffic directed to their services.

A sleeping malware giant in our midst
Over a year later, we can ask what lessons have been learned, and where we go to next. It is clear that Mirai is still very much a disruptor; only last month a new publicly available strain was responsible for infecting 100,000 ZyXEL networking devices in a 60-hour window. 

In this case, attackers were stopped before significant damage could be done to portions of the internet, but unfortunately Mirai and similar malware used to launch DDoS attacks still remain a clear and present danger to organizations around the world.

The core Mirai malware code is publicly available, and due to the power of commodity hardware, it would not take much for even the lowliest of cyber-criminals to initiate a potentially devastating attack. In late November, a new piece of malware based on Mirai, dubbed “Satori” has since gone on to spread rapidly, scanning the global internet for vulnerable devices at the rate of millions a day, looking for openings, and infecting them.

The findings of Neustar’s most recent Global DDoS Attacks and Cyber Security Insights Report affirmed that DDoS attacks continue to be an effective means to distract and confuse security teams while inflicting serious damage on organizations. There has been a 27% increase in the number of breaches per DDoS attack, despite the volume of attacks being relatively consistent with this time last year.

It seems that attackers are achieving higher levels of success against organizations they only hit once, with 92% of those attacked suffering the consequences: 52% of organizations reported a virus associated with a DDOS attack, 35% reported malware, 21% reported ransomware and a particularly troubling 18% reported lost customer data. 

Over a twelve-month period, 75% of respondents recorded multiple DDoS attack attempts following an initial assault on their organization’s network. The resulting breach ratio increases as the number of DDoS attacks increases, but the net result is it only takes one attack to breach an organization’s defenses. 

Attacks with surgical precision
This research suggests that opportunistic cybercriminals are focused on taunting defenses, probing network vulnerabilities and executing more targeted strikes, instead of making noise with a singular, large attack, as we had originally seen with Mirai.

While we may not see volumetric attacks on the same scale as that in the near future, the accumulative damage and cost of DDoS attacks of all sizes in the next year could be considerably worse. The average organization faces combined revenue risk disruption of $4.3M as a result of DDoS attacks, a figure that is continuing to rise. 

There is also a clear correlation between the proliferation of IoT devices and the types of attacks, with 76% of organization’s suffering a DDoS attack though their IoT connections in the past year. While large scale DDoS attacks will continue to command great attention in the media, cyber-criminals are increasingly targeting the web application layer. This has become the most exploited layer in the network stack, and can be as, if not more damaging than a typical DDoS attack. 

Web application layer attacks, or ‘layer 7’ attacks as they’re often called, are a direct result of a hacker spotting a vulnerability in an existing programme within an organization’s web presence. These attacks are more specific than DDoS attacks, with a targeted approach to damaging vulnerable software. Application attacks are also the most difficult attacks to detect, and provide little to no advanced warning before they destroy an organization’s application. 

The good news is that warnings have not gone unheeded. More than 80% of companies surveyed claim to be investing more in DDoS protection over the past year. In addition, protection against application layer threats has increased significantly with Web Application Firewall (WAF) deployments, which protect users by filtering, monitoring, and blocking HTTP traffic to and from a web application, having nearly tripled in the past seven months. 

DDoS attacks reached unprecedented levels in 2017 and all recent trends indicate that 2018 is going to see the situation worsen dramatically. Today’s cybercriminals have the wherewithal to surgically target individual organizations, or initiate brute force attacks with the potential to cause catastrophic damage on a global scale. For many cybersecurity professionals, there is no respite, with attackers probing and often breaching defenses on a daily basis.

Future proofing mitigation networks to stop attacks before they reach their target destination will save billions each year, but we must continually innovate in the face of such adversity if we are to successfully offer protection against an increasingly diverse threat landscape.

What’s Hot on Infosecurity Magazine?