-(002).png?lu=245)
11 March 2022
DDoS is not a new form of cybercrime, but it’s hammering networks harder than ever. Robert Shepherd asks why this is and how it can be contained
It’s difficult to close an edition of this magazine without reporting that a cyberattack recently took place somewhere. Just leaf through the first few pages of this one and you’ll see what I mean.
Of course, depending on who you speak to, there are several reasons why cyberattacks, cybercrime, hacking – whichever term you so choose – are becoming more prominent.
However, one form of cybercrime that, perhaps, hasn’t featured as prominently or frequently as some of its more high-profile cousins is a distributed denial-of-service (DDoS), a subclass of denial of service (DoS) attacks is, quite simply, a cyberattack in which the bad actor seeks to make a machine or network resource unavailable to its users by disrupting – services of a host connected to a network.
One of the reasons for that is they are not new, having been around for at least 10 years and they happen all the time. So, to report one happening – unless it was unique – wouldn’t add much value.
However, since 2021, the rate in which DDoS attacks are launched has soared to heights never seen before.
Richard Hummel, ASERT threat intelligence lead at Netscout says cyberattack activity has been increasing and evolving in recent years and “a catalyst for this is the mass adoption of hybrid and remote work models” due to the continued Covid-19 lockdown restrictions and work-from-home orders over the past 18 months. “To cause maximum disruption at a time of great upheaval around the world, cybercriminals have launched DDoS attacks to intentionally overwhelm online services to the point of crashing,” he adds, “And, in our interconnected world, many of these attacks have had a domino effect on global supply chains, making them a dangerous threat to worldwide industries.”Netscout’s recently published Threat Intelligence Report reveals 5.4 million DDoS attacks were reported in the first half of 2021, representing an 11% per increase from the year before – which was already a record-breaking year for DDoS attacks. When it comes to the reasons behind the surge in DDoS attacks, Hummel argues that it can be attributed to several factors. “Firstly, during lockdown restrictions, online infrastructure became more important than ever for keeping dispersed workforces connected and businesses in operation,” he adds. “A surge in online activity is an opportunity to launch damaging attacks. Taking full advantage, cybercriminals adapted their attack methods and targets.”
Mattias Fridström, Arelion
“As more and more businesses are dependent on a working network unfortunately hackers see new ways of threatening resource owners and thereby ask for ransom money to unlock systems or stop attacks”
This can be seen with the internet publishing and broadcasting sector, inhabited by services such as Zoom, Microsoft Teams and other video conferencing applications, which have been crucial to continuing business meetings, online learning, and connecting with loved ones. For the first time, this sector became one of the top ten most attacked industries in 2020 and was among the top five most targeted industries in the first half of 2021.
Another factor is that many internet users are no longer safeguarded against cyberattacks by enterprise-grade security systems when working remotely. Threat actors have exploited these vulnerabilities, which has led to more incidents like the Lazarus Bear Armada DDoS extortion attacks, which targeted Virtual Private Network (VPN) concentrators. What’s more, attackers are generally now capable of disrupting an entire business instead of the 10-20 per cent of the workforce which was the focus prior to the introduction of the lockdown measures and work-from-home orders.
Chris Buijs, NS1
“In our experience it is not becoming more sophisticated particularly, but there are more tools and they are easier to access”
Mattias Fridström, chief evangelist at Arelion (formerly Telia Carrier) also concurs. “As more and more businesses are dependent on a working network unfortunately hackers see new ways of threatening resource owners and thereby ask for ransom money to unlock systems or stop attacks,” he says “With an increased value of the online business the grade of sophistication is following along.”
Sean Newman, vice president, product management, Corero Network Security, explains how the increased sophistication is linked to the fact that “the cyber landscape as a whole has long since moved from hacking with mischievous and publicity intent”, to organised cybercrime focused on financial gain.
“And DDoS is no exception, with attack motives shifting from traditional religious, political or moral grounds to being more financially motivated, with DDoS for ransom experiencing a significant rise over recent years,” he says. “By its very nature, DDoS is open loop – attacks are launched from across the internet, with no return traffic to the perpetrator, as is the case with data breach attacks. This means the original attack source is extremely difficult, or impossible, to trace in most cases, making DDoS an ideal tool for someone with criminal intent. The promise of healthy ransom demand payments, with relative impunity, has helped to drive the increase in attack numbers to another level.”
However, there are some who argue it isn’t necessarily so that the bad actors have become more sophisticated. One of those is Chris Buijs EMEA field chief technology officer and senior product manager for emerging products at NS1 DDoS attackers are usually motivated by creating the biggest disruption and reputational damage they can or for extrapolating data. “In our experience it is not becoming more sophisticated particularly, but there are more tools and they are easier to access,” he adds. “The move to the cloud and proliferation of digital devices also allows attacks to be launched from multiple vectors to amplify the magnitude, which makes them more effective.”
Newman adds that with a financial gain at stake, attackers are motivated to increase their efforts to ensure their attacks can successfully impact their victims, which is driving the increasing sophistication. “Cybercriminals understand that their potential victims are increasingly deploying some level of DDoS protection, so they must work harder to develop new attack vectors which can bypass these defences, which is driving up the levels of sophistication employed,” he says.
What’s also alarming – worse in some ways – is the morphing demographic of the people behind these attacks.
Indeed, the cybercrime unit of the UK National Crime Agency (NCA) is ramping up a programme designed to educate children – yes, children – about the ramifications of DDoS attacks. That’s because kids as young as nine have been caught launching these attacks against their school networks. Not only is DDoS becoming more common, the perpetrators are getting younger.
So, we know DDoS attacks are becoming more common and sophisticated, as well as the fact they are being orchestrated by children of junior school age. However, where does this strain of cybercrime rank in terms of seriousness and potential severity?
Fridström says “it’s very difficult to compare” and is very much up to the attack itself. “A large overflow attack can bring down complete networks for hours if you are not protected enough,” he continues. “Our research from last year showed that the impact of these DDoS attacks can be dramatic for some businesses, with 11% of respondents saying that such an attack has posed a threat so serious that it could have undermined business continuity. A further 40% said that such an attack had a major impact, resulting in significant disruption and loss of business revenues.”
Enterprises have a enough security concerns to deal with, but how does DDoS rank alongside its evil cousins?
Eva Abergel, security product lead at Radware, says that compared to other cyberattacks, such as malware, for example, the main threat associated with DDoS attacks is the loss of service availability, which occurs when a network slows down or is completely taken down. “While DDoS attacks don’t expose sensitive information, they can impact the SLAs between an organisation and its users as well as block legitimate users from accessing applications and services,” Abergel adds. “This can impact customer satisfaction, damage brand reputation, increase customer churn and lead to revenue loss. In addition, DDoS attacks are sometimes used as a smoke screen to hide other more targeted attacks. So, while an organisation is dealing with a DDoS attack or a ransom DDoS threat, the hackers are, in parallel, launching other invasive attacks to gain access to the company’s network, applications and sensitive data.”
Newman agrees that the seriousness of a DDoS attack depends on its target. “Used in isolation, they do not result in data breaches, which may lead some to believe they are not that serious compared to other cyberattacks,” he adds. “However, DDoS attacks cause significant disruption to Internet access and the applications, services, users, and customers that depend on it. DDoS reduces business continuity and can seriously impact revenues, reputation, customer satisfaction and loyalty, as well as employee productivity.”
Nevertheless, enterprises need to have safeguards in place to mitigate any DDoS attacks should one or more be visited. So, what are they?
“Companies can build resiliency, particularly to volumetric attacks by ensuring they have a more distributed, always-on, redundant DNS in place,” says Bujis. “It allows a second DNS network using separate infrastructure to be deployed in the event of an attack compromising the primary DNS and allows traffic control to shift bad traffic away when needed. Network managers can also leverage AnyCast protocols. These enable DNS requests to be diverted to an available server to guard against the impact of an attack on resources, or due to cloud resource overload or CDN outages, of which there were many in 2021. They can also use their own real-time data about network conditions to dynamically load balance between resources in the event of traffic spikes due to a DDoS attack.”
Richard Hummel, Netscout
“To cause maximum disruption at a time of great upheaval around the world, cybercriminals have launched DDoS attacks to intentionally overwhelm online services to the point of crashing”
As far as Andrew Fruish, director of Nene Cyber Security is concerned, a basic defence that can be deployed is to make a plan, keep your systems patched, use a web application firewall WAF, monitor your network and look for the signs “(It’s key to) use large bandwidth capacity and server capacity to absorb and mitigate attacks,” he adds. “At the high-end, implement a multi CDN (content delivery network) or cloud-based solution.“
Abergel argues that basic tools simply block volumetric attacks and that whenever the traffic to a certain server exceeds a predefined threshold, traffic is totally blocked so that nothing can access the destination. “This method will protect a server from going down but only when basic attack tools are used and at the expense of service availability to legitimate users,”
High-end safeguards protect assets using a different approach. They use behavioral algorithms that can differentiate between legitimate and malicious traffic. When using algorithms, there is no need to wait for an attack to reach a certain volume before stopping it.
Andrew Fruish, Nene Cyber Security
“At the high-end, implement a multi CDN (content delivery network) or cloud-based solution”
The behavioral capabilities analyse the traffic instantly and put the right signatures in place, so that all malicious traffic is blocked, while legitimate users still have access to the server. This method ensures constant service availability, a better user experience and revenue protection. Additionally, there are sophisticated attacks that only high-end safeguards can detect and mitigate. These include burst attacks, encrypted attacks, IoT botnets and DNS attacks.
Does that mean that, in some cases, that a ‘successful’ DDoS attack on an enterprise could be linked to complacency on the part of the network manager or senior members of the security team?
“The less user error your organisation demonstrates, the safer you’ll be, even if there’s an attack but your organisation should also implement network resilience strategies such as more bandwidth or a cloud-based solution and have a response plan should attack occur,” Fruish adds. “In the majority of cases it’s possible to defend against DDoS attacks by implementing the industry’s best current practices.”
Eva Abergel, Radware
“While DDoS attacks don’t expose sensitive information, they can impact the SLAs between an organisation and its users as well as block legitimate users from accessing applications and services”
Nevertheless, according to a number of security experts, companies really do need to get their own house in order. After all, to use a social analogy, if you leave your front door open, there’s more chance of you being burgled.
“There are still far too many unprotected servers and applications in the network that do not require an advanced DDoS attack to be taken down,” says Fridström. “With proper protection hackers would have to become much more intelligent than currently many of them are.”
Putting security measures in place to combat DDoS is an obvious requirement if you value your business, but as the perpetrators and techniques become more sophisticated, the landscape will constantly evolve. To that end, Hummel says organisations need to invest in a powerful and effective DDoS mitigation system. “This will defend their public-facing online infrastructure before an attack occurs, providing them with peace of mind if and when they become the target of a DDoS attack,” he adds. “Generally, damage from an attack is minimal to organisations that proactively secure their systems with strong DDoS protection.”
Hummel adds that businesses should also test their DDoS defence systems on a semi-regular basis. That’s because it ensures that any upgrades made to the online systems are incorporated into the overall DDoS defence plan. “As such, the entirety of an organisation’s online infrastructure will be well protected. When defending VPN concentrators, organisations should consider implementing an on-premises ‘stateless’ solution,” he continues. “The use of stateless packet processing technology, in addition to utilising an advanced defence solution at the perimeter of the network, will detect DDoS attacks instantly. This rapid detection means that the business will be notified of the attacks before any serious damage is done. While many countries’ social distancing measures have now ended, the vulnerabilities exposed from pandemic-driven remote working still remain.”
Sean Newman, Corero Network Security
“By its very nature, DDoS is open loop – attacks are launched from across the internet, with no return traffic to the perpetrator, as is the case with data breach attacks”
So, there you have it – DDoS isn’t going anywhere other than fast in the wrong direction as far as businesses are concerned. However, implementing robust preventive measures, organisations will be in a much better position to defend themselves.
