DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemeses.
Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.
Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.
However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.
“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”
Terabit Era Dawns
One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.
The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources. For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.
The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.
“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature – it just goes away. So, it’s not as scary as it seems.”
However, criminals are almost certainly looking for the next major reflector source.
“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”
He added that the implications of being able to reach such dizzying attack heights could be profound going forward.
“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay. “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”
This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows – easily overwhelming the fiber’s capacity and knocking the country offline.
While big, splashy volumetric attacks make headlines, the reality is that smaller, more sophisticated attacks are perhaps the greater concern.
“DDoS has historically been pretty unsophisticated – it doesn’t require a closed-loop response where you steal data and need to get it back to you,” said Sean Newman, director of product management at Corero Network Security. “Typically, you just send out the traffic to a pipe with the goal of filling it up. But, what we’ve seen recently is that those very large unsophisticated attacks [now] represent a small proportion of the [campaigns] that go on. Across all the DDoS efforts that we see, the majority, just over 70 percent, are [now] less than 1 GB in size. And that’s because the attackers are moving away from using simplistic brute force, to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure-based (i.e., volumetric) and application-based payloads; application-layer attacks in particular are sneakier and can be very targeted, researchers said.
Rather than just look to overwhelm a company’s broadband connection or DNS infrastructure, as was the norm in the past, application-layer attacks focus on one aspect of the target’s communications, such as, say, a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.
“Attacks use just enough traffic to be successful,” Chong explained. “Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so you don’t need a 1-terabit attack to be effective. These are small, specially crafted campaigns where threat actors first examine where a service is hosted, such as a data center, in the cloud or at a hosting provider – and then they launch a small attack that just overwhelms the limits of the target’s bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic’s volume is close in size to the normal traffic going into that enterprise.”
An example of this is the attacks mounted during protests in the wake of the 2009 Iranian presidential election. That’s when several high-impact and relatively low bandwidth efforts were launched against Iranian government-run sites. Since then, the method has gained popularity. Meanwhile, the large, “big-bang” efforts that still make up 30 percent of the campaigns seen in the wild are sometimes used as a distraction, Chong added, acting as a smokescreen to mask other activities, such as a data exfiltration effort. F5 for example noted last year that almost 50 percent of attacks fell into this category.
To carry this out, higher-end threat actors can use partial link saturation, designed to leave just enough bandwidth available for a secondary attack. In this scenario, a distracting DDoS attack consumes resources in enough security layers to allow a targeted malware attack through. Often the IT staff is so busy dealing with the DDoS attack, which causes damage to revenue and reputation on its own, to notice that another intrusion is taking place through other channels.
While both volumes and sophistication are on the rise, the impact of DDoS botnets that are built from tens of thousands of compromised internet-of-things (IoT) devices remains perhaps the biggest story in this particular crime sector, representing a rapidly expanding threat surface.
“The explosion of IoT devices is an attack vector that’s going to be around and of interest for a long while,” said Newman. “Consumers and businesses are buying these devices for the coolness factor and the ability to automate your life. And vendors are much more incentivized to get the latest thing to market ASAP instead of spending time on security.”
Elias Bou-Harb, research assistant professor at Florida Atlantic University and a cyber-threat researcher, added: “While the focus was on functionality and accessibility, security is and continue to be an afterthought. Vendors should be vigilant about this and emphasize security in their design, early on. This is especially factual if those IoT devices are deployed and being operated in critical infrastructure.”Meanwhile, for many consumer and business IoT users, security remains low on the list of concerns, making for little pressure on vendors to clean up their act. That’s because owners of compromised IoT devices rarely end up feeling like victims, Newman added.
“The small amount of traffic being requested from each device may be only 1 megabit each, and you’re unlikely to feel that on your home network in terms of performance degradation,” Newman explained. For that reason, IoT botnets continue to be responsible for widespread infections, which can be easily marshalled for DDoS attacks.
“IoT is kind of the sweet spot for DDoS botnets, because these devices are prevalent, but no one really controls them – they’re almost unmanaged,” said Jeremy Kennelly, manager of threat intelligence analysis at FireEye. “Cameras and routers and things are just left out there, not being updated, and meanwhile the non-expert population gets used to what they think are just glitches – they don’t think they might be compromised.”
While Mirai kicked off the era of the IoT botnet on 2016, two of the latest events on the bot scene include the rise of the Satori botnet, which infected more than 100,000 internet-connected D-Link routers in just 12 hours, and the VPNFilter IoT botnet, which infected almost a million consumer-grade internet routers (i.e., Linksys, MikroTik, Netgear, and TP-Link) in more than 50 countries in a very short amount of time. VPNFilter is particularly nasty, capable of DDoS as well as delivering malware and stealing data.
Others meanwhile are appearing all the time.
“Very recently, June 18-June 22, we tracked a botnet (which was never reported before) composed of more than 50,000 IoT bots, distributed over 170 countries and hosted in more than 30 business sectors,” said Bou-Harb. “We are seeing excessive IoT exploitations targeting home and business routers, storage devices, cameras, voice over IP phones and more.”
Bot herders are also in a race to expand their IoT infrastructure – something that’s all too easy. IoT botnets are either built through simplistic compromises involving common, hard-coded, default passwords for devices that are easy to search for on the internet; or via the exploit of known vulnerabilities.
“The recent compromise of GPON home routers came down to a couple of specific vulnerabilities in the code that were never patched,” Newman said.
Code-reuse is also rife in IoT devices, meaning that putting effort into exploiting vulnerabilities can be a valuable vector with a lot of payoff. The Satori botnet for example was created by exploiting a known buffer overflow technique in generic code, Newman added.
Beyond existing IoT, the actors behind botnets are always looking to also commandeer new classes of devices from which to carry out attacks. In the future, things such as sensor networks or devices for smart-city applications could vastly expand the attack infrastructure.
“We haven’t seen the peak of what IoT botnets are capable of yet, and you can be sure there are more pools of resources out there to be found,” McKeay. “For instance, we’re not monitoring IPv6 as closely as we should – and I wouldn’t be surprised if there’s something lurking there that can be harnessed for this.”
All of the bad actors’ frenetic expansion activity is driven by basic market economics. “We continue to see competition for the infrastructure,” said Kennelly. “That’s one of the reasons that the peak sizes for DDoS are decreasing. The bad guys are all competing for the same set of resources. As members of the community trade tips and exploit code, certain botnets become more popularized, and they start competing for access to it. As the resources are consumed, peak sizes level out.”
DDoS is traditionally seen as a tool used by politically and religiously motivated hacktivists to make a point. However, DDoS intentions are evolving, particularly with the advent of DDoS-as-a-service. Put simply, IoT botnets have paved the way for a new generation of cheap on-demand services. These dramatically lower the barriers to entry for attackers by eliminating the requirement to have technical knowledge to carry out an offensive.
“Anyone with a PayPal account can make a quick purchase on a WebStresser-like site,” said McKeay. “You could be a 12-year-old that saw a tutorial on a YouTube channel – there’s not a huge amount of technical skills needed to DDoS someone.”
This low bar to entry has given rise to new actors with new kinds of motivations behind attacks. For instance, as with most things in cybercrime, there’s an emerging financial aspect to attacks thanks to the fantastic ROI that some campaigns can offer.
“We are starting to see ransom-driven attacks shifting to DDoS,” explained Newman. “For $10 an hour you can cause enough damage to take a website down. So, you craft a few ransom emails from an anonymous account and ask for Bitcoin in exchange for sparing the target a DDoS attack. You have nothing to lose, really. In the likelihood you get a good hit rate – say one in 1,000, even one in 10,000 – you can be making good money as an individual on the back of that.”
Some DDoS-as-a-service providers even have a “try before you buy” function. As a consequence, person-to-person attacks are also on the rise.
“Many of these are gaming attacks,” explained Darren Anstee, CTO NETSCOUT Arbor. “If I’m a serious player of game X and I want to slow down gameplay for opponents, it’s easy to launch a small, short-lived attack for no money. A lot of people will use it for a social-media beef or gaming issue, or really any personal slight.”
Winning Poker Network CEO Phil Nagy for instance in September 2017 said that his site was hit with a series of 26 separate DDoS attacks over three days – he said they were being carried out by a rival poker room. However, on the other end of the spectrum adaptive adversaries have appeared. Those type bad guys are capable of turning a DDoS attack into something akin to a game of chess.
“In a recent campaign we looked at incoming traffic and identified unique strings and started blocking it – but then we saw the attacker to change the type of traffic, or change the strings, essentially adapting to the defenses,” said McKeay. “The attackers finally started hitting the DNS server—and if you take that offline then you’ve taken the company offline.”
The level of sophistication indicated a different type of opponent as well.
“Reflection tactics and botnets make attribution almost impossible,” McKeay said. “But someone modifying code and traffic on the fly like that is probably organized crime or a nation-state actor, demonstrating training and skills that aren’t everyday things in the DDoS world. They’re doing stuff with the code and reconfiguring tools as time goes by—across a multi-day project.”
That’s not to say that hacktivism doesn’t still play an important role in fomenting DDoS. NETSCOUT Arbor’s 2017 Worldwide Infrastructure Security Report showed that vandalism together with political and ideological disputes were among the top three motivators of DDoS attacks.
In the build up to Mexico’s presidential elections, for instance, the website of the country’s National Action Party was hit by DDoS after it published documents critical of the leading candidate. NETSCOUT Arbor saw more than 300 attacks per day in Mexico during the period of June 12 and 13, which was 50 percent higher than the normal frequency in the country.
Whether we discuss tactics, motivation or sheer capability, the DDoS threat landscape is becoming more sophisticated and varied over time. And, thanks to the rise of the IoT botnet phenomenon, it’s not an area that’s shrinking in terms of the dangers it poses to both businesses and consumers. The good news is that effective mitigations exist, from basic security awareness on the part of consumers (i.e., change those default passwords), to higher-end traffic inspection and in-stream cleaning functions for enterprises; better collaboration between researchers and law enforcement and the emergence of ISPs getting into the filtering act are also helping.