Light Dark
July 30, 2020 By Fred Donovan 4 min read
Advanced Threats
Application Security
Cloud Security
Data Protection
Fraud Protection
Government
Healthcare
Network
X-Force

Distributed denial of service (DDoS) attacks are increasing in size, frequency and duration.

Kaspersky Lab reported a doubling of DDoS attacks in the first quarter of 2020 compared with the fourth quarter of 2019, plus an 80% jump compared with the same quarter last year.

Kaspersky also found that DDoS cyberattacks are increasing in duration. Average attack duration increased 24% in the first quarter of 2020 compared with the year-ago quarter. Meanwhile, maximum attack duration more than doubled in the first quarter compared to the same quarter last year.

A recent DDoS attack against a large European bank clocked in at 809 million packets per second, more than double the previous record on the Akamai platform.

Akamai reported a 1.44 terabits per second attack against an internet service provider last month. The attack came from nine different vectors, lasted for more than an hour, and maintained an intensity of 1.3 terabits per second.

In February, Amazon Web Services (AWS) saw a record 2.3 terabits per second DDoS attack. This was 44% larger than any previous DDoS detected by AWS.

Types of DDoS Attacks

Akamai explained that bits-per-second (BPS) and packets-per-second (PPS) attacks have different approaches to targeting victims. With BPS attacks, the goal is to overwhelm the inbound internet pipeline. It bombards the circuit with more traffic than it can handle. With PPS attacks, the aim is to overwhelm network gear and applications in the victim’s data center or cloud environment, exhausting resources. While taking different approaches, both types of DDoS attacks can have devastating effects on victims.

“Looking holistically at DDoS activity since the onset of 2020, it is clear that large, sophisticated DDoS attacks are still a significant attack vector,” says Tom Emmons, principal product architect at Akamai.

Most of the DDoS attacks involved SYN flooding, which is a protocol attack. This is one of three DDoS types, along with volumetric and application attacks.

DDoS Attackers Exploiting COVID-19

Many of these DDoS attacks are exploiting the COVID-19 pandemic by targeting healthcare organizations, educational platforms and government agencies.

For example, the number of DDoS attacks on educational and administrative web resources tripled in the first quarter of 2020 compared with the year-ago quarter. Kaspersky predicted that corporate infrastructure, such as VPN gateways, will receive more DDoS attacks as the shift to remote working becomes the ‘new normal.’

Imperva recently found that application DDoS attacks are lasting longer. Two attacks in June lasted five to six days and originated from up to 28,000 unique IP addresses. The most targeted industries were media, business and financial services.

Another development fueling DDoS attacks is botnet-for-hire services. Providers of these services are battling for control of home routers to use in their botnets, according to Trend Micro research.

Cybercriminals then sell access to these botnets for DDoS attacks or to anonymize click fraud, data theft and account takeover.

“Cybercriminals know that a vast majority of home routers are insecure with default credentials and have ramped up attacks on a massive scale,” explains Jon Clay, director of global threat communications at Trend Micro.

“For the home user, that’s hijacking their bandwidth and slowing down their network. For the businesses being targeted by secondary attacks, these botnets can totally take down a website, as we’ve seen in past high-profile attacks,” Clay says.

How to Prevent Attacks

The data is clear. By all measures, DDoS attacks are increasing. This is bad news for businesses that are in the attackers’ cross-hairs.

What distinguishes a DDoS attack from the run-of-the-mill denial of service attack? Malicious traffic comes from distributed sources around the world, such as a botnet made up of millions of devices, instead of a single source. This type of attack renders regular firewalls and intrusion detection systems practically useless in thwarting these attacks.

There are several things organizations can do to prevent attacks and mitigate their impact.

Rachel Kartch, a researcher at Carnegie Mellon University’s Software Engineering Institute, advises organizations to implement four best practices for DDoS attack mitigation.

  1. Make architecture as resilient as possible. Organizations should disperse assets to avoid presenting an attractive target to an attacker. They should locate servers in different data centers, ensure that data centers are located on different networks and have diverse paths and make sure that data centers and networks have no bottlenecks or single points of failure.
  2. Deploy hardware that can handle DDoS attacks. Organizations should use settings in network and security hardware designed to protect network resources. Many next-generation network firewalls, web application firewalls, and load balancers can defend against protocol and application attacks. Specialty DDoS mitigation equipment can also be deployed.
  3. Scale up network bandwidth. If organizations can afford it, they should scale bandwidth to absorb volumetric attacks. This step might be difficult for smaller organizations that do not have the financial resources to invest in more bandwidth.
  4. Employ DDoS mitigation providers. Organizations can turn to large providers that specialize in responding to DDoS attacks by employing cloud scrubbing services for attack traffic to divert the traffic to a mitigation center before it hits the organization’s network.

Paul Rubens, a security writer with eSecurity Planet, recommends organizations protect their DNS servers by putting them in various data centers behind load balancers or moving to a cloud-based DNS provider.

According to security experts consulted by Bank InfoSecurity, companies should use cloud-based web servers that can handle the high traffic volumes of a DDoS attack, conduct exercises that simulate real-world DDoS attacks, put in place outage mitigation and response strategies before a DDoS attack hits and train staff on how to recognize and respond to a DDoS attack.

“While technical mitigation is a necessity, educating users within the enterprise that security is a mindset, not an exception, can also reduce these incidents,” says Bill Brenner, director of research at IANS and former senior program manager at Akamai.

 |  |  |  |  |  | 
Fred Donovan
Editor, Inside Security | Writer | Content Creator and Marketer

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature