DDoS has an understandable reputation as a blunt instrument. It has a track record as an unsophisticated, brute force weapon that requires only basic computer skills to wield in anger.
Today’s teenagers can, and often do, use DDoS to flood gaming websites with malicious traffic and bring the intended victims (or opponents) to their knees. Or so the thinking goes.
The truth is that DDoS has been evolving to become more of a surgical instrument of criminal extortion. A scalpel – to carve out a crucial and targeted part of a larger campaign – and with every passing year it gets sharper and is used in increasingly sophisticated ways. This is borne out in Corero’s latest 2021/22 DDoS Threat Intelligence Report, which highlights the realities of DDoS threats, how they’re changing and how security teams need to respond.
Most DDoS attacks are small and short
The reality of DDoS on the Internet today is that most attacks are not atomic bombs, they are precision strikes. The vast majority of attacks are small in comparison to the headline-grabbing incidents. Corero research reports 97% are below 10 Gigabits per second (Gbps) and 81% are under 250,000 packets per second (pps).
There are a whole range of potential reasons for these tactics. Attacks are often used as part of a campaign using multiple cyber threat vectors in which DDoS attacks may serve as a force-multiplier or distraction in a larger assault.
Another theory suggests, however, that these types of attacks have evolved and become popular because many legacy solutions cannot detect them. Their size or duration allows them to effectively evade or outrun many older-style detection solutions into thinking that they are just normal traffic. This is particularly true when this type of attack is sprayed across many adjacent victims in what is sometimes called a carpet bomb attack. Effectively, a series of easy to launch, smaller attacks spread over a wider target area can be parlayed into a destructive force that does just as much damage as one large scale, and harder to accomplish assault.
This annual trend of increased threat has been the reality of DDoS for quite some time. But it is also true that DDoS attack fallout often goes unrecognised or is misidentified as more general network issues or connection problems. Organisations need to get to grips with the DDoS issue if they want to protect themselves from these threats – past and present.
Open VPN
One representative development in the DDoS weapons landscape over the last few years is the rise in the use of OpenVPN reflection attacks.
It is one of the more peculiar side effects of the global pandemic in relation to DDoS. As lockdown orders set in around the world in early 2020, many more companies resorted to the use of VPNs to establish secure connections between office networks and home workers. This proved to be an opportunistic gold mine for DDoS attackers.
They started using OpenVPN, a popular style of VPN tools, as a DDoS reflection and amplification vector to great effect. According to the report, these types of OpenVPN attacks have risen by 297% since the start of the Covid-19 pandemic.
Attackers are combining new and old vectors
New DDoS vectors are constantly appearing. Our data shows that unique DDoS attack vectors are increasing year over year. Some of the most recent vectors include the new TP240 PhoneHome and Hikvision SADP vulnerabilities, both of which can be used to launch damaging DDoS reflection and amplification attacks.
DDoS attackers are consistently seizing on these new opportunities. It is now standard practice to use a combination of long-standing attack vectors, supplemented with a fresh layer of these novel, recently discovered enhancements. Awareness of DDoS isn’t enough.
Data from our report confirms that DDoS vector awareness alone, is not a sufficient defence. In July 2020, the FBI released an alert disclosing and highlighting four new DDoS attack vectors. Despite that warning and the resulting boost in awareness, the malicious use of those vectors grew throughout 2020 and again we report that they were still significantly active in 2021.
The future of DDoS
DDoS frequency and peak attack power has grown massively in recent years. In yet another example of the continuing evolution, the advent of the Mirai botnet in the Internet of Things (IoT) environment gives us an insight into how this came to pass. Exploiting a large population of poorly secured IoT devices, Mirai managed to perpetrate some of the largest DDoS attacks on record and cripple popular websites and internet infrastructure and – by some accounts – the internet of the entire country of Liberia.
The key to its success was the viral infection or ‘pwning’ of a significant population of IoT devices. DDoS attackers are continuing to exploit the same techniques. The problematic insecurity of the cheap, numerous and poorly secured IoT device is a green pasture for DDoS attackers who can herd together vast armies of these insecure devices and then instruct them via command and control (aka CnC or C2) networks to simultaneously unleash their flood power against a victim or victims.
The IoT keeps growing and its capabilities are forecast to grow even faster. 5G and IoT-based networks will expand the frontier of edge-oriented communications, data collection, and computing. Left unprotected, this array of newly-defined internet access points will constitute a DDoS vulnerable flank, enabling attackers to bypass legacy core DDoS protection mechanisms. It’s difficult to imagine the rapid roll-out of these transformative capabilities for the common good without simultaneously enabling DDoS attackers to do the same unless industry-wide changes are made to enhance the deployment of DDoS protection.
Stopping DDoS threats
Inflexible solutions cannot keep up with the increasingly complex nature of DDoS. Given that most DDoS attacks are small and short, many legacy protections will not detect them. Likewise many legacy solutions cannot respond fast enough to DDoS attacks – some even require a customer to complain of a problem before they are activated.
No single DDoS solutions can offer truly effective protection in isolation. Cloud-based DDoS detection and mitigation services are profoundly useful in diverting very large DDoS attacks to cloud-based scrubbing facilities. However, they cannot operate locally in real time as they typically need to detect attack traffic and then redirect it to the cloud. To put it simply, the attack has to hit first, making some resulting downtime inevitable.
Meanwhile, on-premises or on-network solutions are crucial for locally detecting attacks and stopping attack traffic in real-time before it hits the enterprise applications. However, they could struggle with the sheer size of infrequent but powerful DDoS attacks that enterprises may have to face.
Enterprises would be wise to consider a hybrid solution which fuses these two approaches together. Cloud-based protection can be on standby to soak up excessive saturating traffic, while on-premises defences will provide the rapid response to the vast majority of DDoS attacks while also providing valuable time needed to swing excess traffic to the cloud. This combination prevents downtime and provides real-time protection against the DDoS attacks of the present and near-future.
