DDoS attacks get smarter
New DDoS techniques, new targets and a new class of hackers continue to re-invent one of the internet's oldest threats. Distributed denial of service attacks, used to take websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses. Being knocked offline impacts revenue, customer service and basic business functions. The hackers behind these attacks are sharpening their approaches to become ever more successful over time. Several new trends are emerging in the 2018 distributed denial of service ( DDoS ) threats, including a shift in tactics to reach new highs in volumetric campaigns, attacks that rely on a wall of large packet traffic to overwhelm the capacity of a website and take it town.
One of the most ominous changes in the DDoS landscape is the growth in the peak size of volumetric attacks. Hackers continue to use reflection / amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. In February the world saw a 1.3 Tbps DDoS attack against GitHub setting a record for volume, it was twice the size of the previous largest attack on record and demonstrated that new amplification techniques can give unprecedented power to hackers. Five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.
The technique used in February and March made use of misconfigured memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database driven websites by improving the memory caching system. Unfortunately, alot of them have been deployed using a default, insecure configuration, which opened the door to DDoS attacks that use User Datagram Protocol ( UDP ) packets amplified by these servers by as much as 50,000 times. That means that hackers can use fewer resources. They can send out only a small amount of traffic and still end up with a massive attack.
The good news is that even as the peaks get larger, massive attacks are quickly dealt with. These are big and relatively easy to secure. Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature, it just goes away. However, hackers are most certainly looking for the next major reflector source. Expect a huge attack, then IT security teams to come in and shut some of those resources down. This is cyclical. We saw it with NTP, DNS and now Memcached, and it will happen again. The implications of being able to reach new attack heights could be profound going forward. The undersea cable between Europe and the U.S. is 3.2 terabits. If you try to send that kind of traffic through that pipe, you're going to gum up the works for a very long time, for a lot of companies. A lot of countries don't even have 1.3 terabits coming in in total, so we're starting to look at attacks that can take whole countries offline. This kind of doomsday scenario is not without precedent. In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps, overwhelming the fiber's capacity and knocking the country offline.
DDoS has been pretty unsophisticated, it doesn't require a closed-loop response where you steal data and need to get it back to you. Typically, you just send out the traffic to a pipe with the goal of filling it up. Whats been seen recently is that those very large unsophisticated attacks represent a small proportion of the DDoS attacks that go on. Across all the DDoS efforts, the majority, just over 70 percent, are less than 1 GB. This is because the hackers are moving away from using simplistic, brute force to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure and application based attacks. Application-layer attacks are sneakier and can be very targeted. Rather than just overwhelming a company's broadband connection or DNS infrastructure, application-layer attacks focus on one aspect of the victim's communications, such as a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.
Attacks use just enough traffic to be successful. Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so hackers don't need a large attack to be effective. These are small, specially crafted atacks where hackers first examine where a service is hosted and then launch a small attack that just overwhelms the limits of the target's bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic's volume is close in size to the normal traffic going into that enterprise. In the wake of the 2009 Iranian presidential election, several high-impact, low bandwidth attacks were launched against Iranian government run sites. The large bandwidth attacks still make up 30 percent of the DDoS attacks seen in the wild but sometimes used as a distraction to hide other activities, such as stealing data. Almost 50 percent of attacks fell into this category.