Though distributed denial of service attacks have been around more than two decades, recently we have seen a spate of DDoS attacks that have increased in complexity and variability. Both the size and frequency of DDoS attacks have gone up, and criminals use these sophisticated attacks to target sensitive data, not just to disrupt businesses. Some recent attacks have exceeded 1 Tbps while the average DDoS attack peaked at 14.1 Gbps in the first quarter of 2017, according to Verisign’s DDoS trends report.
The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Million packets per second (Mpps). This attack sent a flood of traffic to the targeted network inexcess of 60 Gbps for more than 15 hours.
In a new report, Imperva warns about a new type of ferocious DDoS attack that uses ‘pulse waves’ to hit multiple targets. “Comprising a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 gigabits per second (Gbps). We believe these represent a new attack tactic, designed to double the botnet’s output and exploit soft spots in traditional mitigation solutions,“ says Robert Hamilton, director, Imperva.
“DDoS attacks are rarely complex. They are the result of a volumetric based attack which results in a platform, application or service being rendered unavailable for the user. The biggest changes we have seen through evolution over the last few years are mostly within the amount of bandwidth attackers have at their disposal. This is due to the amount of more interconnected devices we now have on the Internet. We have three main types of DDoS attack, one is a volumetric, which accounts for most DDoS attacks, secondly we have application and lastly protocol level attacks,” says Warren Mercer, security researcher at Cisco Talos.
Ransom is another growing trend in DDoS. “Ransom related attacks seem to be a trending issue as of late. Too many organisations are paying out these ransom requests, in an effort to remove themselves from the cross hairs of a DDoS attack – this behaviour likely causes an increase in ransom attack activity. Besides the financial loss that a company may experience by paying the ransom, companies must consider that they will still be subject to a DDoS attack even after the ransom has been paid,” says Stephanie Weagle, VP, Corero.
What do you do if you are a CISO dealing with massive DDoS attack? What are your tips for CISOs dealing with massive DDoS attacks? “First thing would be to make sure the network is well prepared for such attacks. Making sure that there are protections and processes in place is critical. It’s also important to remember that the DDoS attack might not be the actual attack but just a distraction,” says Kalle Bjorn, director-systems engineering, Fortinet.
Mohammed Al Moneer, regional director, A10 Networks, says the challenge for defenders is to distinguish good and bad behaviour largely by analysing the instrumented data available from server logs and traffic behaviour reported from networking tools. In effect, threat hunting is the act of finding a needle in a haystack of logs and flow data. Unlike the stealth required for dropping malware or stealing data, DDoS is loud and does not hide in the shadows.
Alaa Hadi, regional director, Arbor Networks, says these very large attacks must be mitigated in the cloud, as close to the source as possible. I would also caution CISOs that to have cloud protection is only a partial defence against modern DDoS attacks. They also target applications and infrastructure, like firewalls, with low and slow attacks that cannot be detected in the cloud. The place to protect against these attacks is on-premise, with a tight connection to the cloud, as a means of providing mitigation support for large attacks. Only with this multi-layer, hybrid approach is a business fully protected from DDoS attacks.
Another alarming trend in DDoS has been the rise of DDoS attacks using IoT devices, as we have seen in the case of Mirai botnet, which infected tens of millions of connected devices.
“IoT can have positive implications across several core industries such as manufacturing, retail, transportation, and healthcare. However, it’s important to bear in mind that a higher number of connected devices translates to more points of entry for attackers to penetrate. Criminals can leverage these end points to steal confidential information from businesses, distribute malware, or takeover the capacity and network bandwidth of connected ‘things’ to carry out massive strikes. The necessary tools and best practices to mitigate such threats are well-known and available in the application security field,” says Hadi Jaafarawi, managing director, Qualys Middle East.
Bjorn from Fortinet adds compromised IoT devices are a massive potential traffic generator source for attackers. Securing the organisations own systems would prevent them from being used in attacks against others. Manufacturers should also work actively to ensure their own devices are fixed when vulnerabilities are found, unfortunately there are multiple IoT devices on the market that cannot be even upgraded, this means that the security will lie on the network where the devices connect to.