Distributed denial of service (DDoS) attacks continue to evolve, and will remain a major threat to most organizations for the foreseeable future. A combination of factors is driving the trend, including the emergence of IoT and mobile botnets, the easy availability of for-hire services in criminal marketplaces and an increase in criminal actors seeking to monetize DDoS attacks.
“DDoS is and will continue to be an often-used tool in the attacker’s toolkit,” said Mike Kun, manager of the security intelligence team at Akamai. “It is a cheap, easily customizable way to disrupt and degrade a target’s Internet assets.”
Reports from multiple security vendors show that DDoS attacks grew in number in 2017. Kaspersky Lab estimated that some 33 percent of organizations faced a DDoS attack last year from just 17 percent in 2016. Forty-one percent of the victims were large enterprises, 33 percent were SMBs and 20 percent were very small business. Certain types of DDoS attacks—such as ICMP and UDP attacks—became rare, while other types of attacks including HTTP attacks and SYN DDoS attacks grew.
The IoT and Mobile Botnet Threat
Few expect attack trends to reverse dramatically in volume anytime soon. For one thing, the proliferation of IoT and mobile devices in recent years has given attackers new resources for assembling massive DDoS botnets. Last year’s WireX botnet, one of the largest ever used for DDoS purposes, was built entirely using tens of thousands of infected Android devices from some 100 countries. Malware including Mirai and Reaper have given attackers the ability to assemble similarly huge attack botnets from routers, webcams, DVRs and other ordinary consumer IoT devices. Such botnets have given attackers new, harder-to-disrupt resources for launching damaging DDoS attacks.
“Many attackers have seen the value in exploiting a vast pool of poorly secured and, occasionally, unpatchable devices,” Kun said. “As more vendors add an IP address to a device, companies willing to cut corners on security to save costs will keep feeding the pool of vulnerable devices that attackers can leverage.”
DDos as a Service
Threat actors offering DDoS-for-hire services are another factor. Last October, the FBI warned of an increase in the scale and frequency of DDoS attacks resulting from the ready availability of so-called “booter” and “stresser” services via cybercrime forums. Such services sell access to botnets that malicious actors can use to anonymously launch DDoS attacks against targets of their choice. Booters and stressers have made it possible for adversaries to execute DDoS attacks without having to create their own infrastructure for it and with little risk of attribution.
“Bad guys no longer need a great deal of sophistication to launch a DDoS attack,” said Joseph Blankenship, an analyst at Forrester Research. “So long as I am able to pay, I am able to conduct a DDoS attack.”
The Monetization of DDoS Attacks
Attack motivations have changed, as well. For many cybercriminals, DDoS attacks are no longer just a way to disrupt a victim’s services—they are using the attacks to extort money, or as a distraction to hide other malicious activity and as a tool to hurt competitors.
Threat groups such as Lizard Squad and the Armada Collective have extorted tens of thousands of dollars from organizations by merely threatening to hit them with a DDoS flood. Another group, DD4BC (DDoS For Bitcoin), has harassed several financial services companies for bitcoin payment in exchange for not hitting them with a DDoS attack.
In a growing number of instances, enterprises are being asked to pay up to make an actual DDoS attack stop, said Blankenship. “One thing we have seen is a trend toward attacking businesses for competitive benefit.” This has been a problem especially in the gaming industry, with businesses sometimes using DDoS attacks to slow down a rival site, he noted.
The Mitigation Challenge
From a mitigation standpoint, bad actors these days operate under the notion that their target is likely to be protected by a service that can handle vast amounts of DDoS attack traffic, said Igal Zeifman, security evangelist for Imperva.
“As mitigation solutions have scaled up, bad actors have been forced to think outside of the [box] and look for other, more clever ways to break through security services and appliances,” he said. The result: DDoS attacks these days tend to be less predictable and, therefore, more difficult to stop.
For instance, DDoS attacks have become generally shorter, more powerful and more persistent than in previous years, Zeifman said. Nearly 70 percent of DDoS attacks at the network layer in 2017 lasted less than 30 minutes and targeted the same victim 17.7 times. There also has been an increase in the use of high-packet-rate assaults, wherein the target has to deal with a massive amount of DDoS payloads each second. “Measured in millions of packets per second, we saw these attacks scale as high as 650Mpps,” in 2017, he said.
Cybercriminals have also begun mixing up DDoS attacks to make mitigation harder, Blankenship noted. A growing number of attacks these days are targeted at the application layer, which means network-level mitigations alone are no longer enough. It is not uncommon these days to see organizations being targeted with a combination of attacks at the network and layer, he said. In fact, according Kaspersky Lab, mixed multi-component attacks that combined SYN, TCP connect, HTTP flood and UDP flood attacks represented a substantial proportion of DDoS attacks last year and are gaining in popularity.
DDoS mitigation has become essential to protecting digital businesses, Blankenship said in a recent Forrester DDoS report. Firewalls and intrusion prevention systems that come with some built-in DDoS mitigation are not sufficient. Organizations, especially in heavily targeted sectors such as financial services, should also consider some of the on-premises, in-cloud and hybrid DDoS mitigation options currently available, he said.