By Richard Hummel, Threat Intelligence Lead, NETSCOUTy
In March 2018, a massive Distributed Denial of Service (DDoS) disrupted service for the developer platform GitHub. The attack, which lasted for approximately 20 minutes, was the largest on record.
It was also a milestone. At roughly 1.2 terabits for second, it formally inaugurated the era of terabit-class attacks, roughly the equivalent of 25 or 30 high definition movies every second. It was followed one week later by another attack, a 1.7 Tbps assault at a U.S.-based service provider.
DDoS attacks flood targeted networks with requests for traffic that overwhelm the system and cause outages. Attackers had been, for years, setting new records in the volume of traffic they could send. Still, in the years leading up to the attack, there were some that debated whether an attack of that size was even feasible given certain technical limitations.
Now, just three years later, terabit-class attacks occur nearly every month. Recently, a major international enterprise software provider said that it had mitigated a 2.4 Tbps attack.
The good news is that organizations with up-to-date DDoS defenses and sufficient mitigation capacity can maintain availability in the face of these extremely large attacks. But, that doesn’t mean enterprises can ignore the risk of massive DDoS attacks. Cybercriminals continue to innovate in this field by combining volumetric DDoS attacks with other threats, such as ransomware; or by deploying multi-vector attacks that drastically increase complexity for defenders.
The New Normal
Several factors have converged to drive terabit-class attacks. Attackers continue to build massive botnets, the armies of infected devices that can direct malicious traffic at targeted systems. Meanwhile, IoT devices, which too often have lax cybersecurity standards, have only increased the number of devices available to compromise.
A second factor is the continued development of reflection amplification attacks. Think of it this way: in most DDoS attacks, a targeted system is flooded with requests for information that initiate a response. In a reflection attack, attackers disguise the origin of the attack traffic to make it appear that it is coming from the targeted network or device. In other words, the attack tricks the targeted system into sending the response back to itself. But the size of the request for information and the response are not always symmetrical. For some internet-based services, a request for information initiates a response that is far larger in proportion. By targeting these services, attackers can significantly amplify the size of their attack.
A reflection amplification attack both magnifies the amount of malicious traffic an attacker can generate, and obscures its source. In the first half of 2021 alone, threat actors weaponized at least seven new reflection and amplification vectors. The deployment of this new tactic ignited an explosion of new attack modes. Along those lines, the number of vectors used in multivector DDoS attacks has soared, with a record-setting 31 attack vectors deployed in a single attack against one German organization.
That’s the type of attack launched against GitHub. Known as a memcached attack. Open source and free, Memcached is a high-performance, distributed memory caching system designed to optimize dynamic web applications. The amplification capabilities of Memcached servers is so great that if you send a single request, that request could send back more than 50,000 responses.
Mixing Tactics, Vectors, and Targets
Large attacks are relatively easy to identify by automated defenses. But that has value in itself to attackers. A large DDoS campaign may, for example, provide cover for another attack, and threat actors can adapt their tactics to overcome defenses when volume alone does not suffice (though, to be clear, a big attack still causes many problems).
An emerging trend has been the development of adaptive attack techniques designed to evade traditional defenses. These types of attacks require extensive pre-attack research and reconnaissance to identify vulnerabilities. The result, however, is an attack perfectly calibrated to overcome an organization’s defenses. Furthermore, attackers don’t always need to attack an organization itself to cause damage. In many cases, DDoS attacks can target service providers, including DNS servers, VPN concentrators to inflict collateral damage.
Defending Against Terabit-Class Attacks
Overall, the first half of 2021 saw a staggering 11 million DDoS attacks. It’s not a matter of if a company will find themselves in the crosshairs of a DDoS attack, it’s a matter of when. The pandemic, and its accompanying shift toward more digital services for consumers and businesses, has expanded the threat surface. Businesses are more reliant on digital services to reach their customers than ever before, driving an even greater need for adequate defenses.
The first step in protecting an organization is taking a good, hard look in the mirror. The shifting dynamics of the workplace brought massive changes. Businesses should conduct frequent evaluations to stay ahead of new threats, and assessments of whether DDoS mitigation capacity continues to be adequate.
Companies should also have conversations with their third-party suppliers on which they rely for connectivity, including ISPs and VPN concentrators to ensure they have adequate mitigation capacity. Running next-generation security tools that leverage packet data can provide insights into possible incursions and changes to networks and infrastructure, offering early alerts to security and network operations teams.
Despite being one of the oldest known forms of cyber attack, DDoS remains a pervasive threat. Terabit-class attacks are unfortunately inching closer to the mainstream, but even worse, they are just one tool in the attackers’ arsenal as they continue to innovate new vectors and attack methods. Hence it is more imperative than ever before that defenders and security professionals remain vigilant to protect the critical infrastructure that connects and enables the modern world.
About the Author
Richard Hummel has over a dozen years of experience in the intelligence field and is currently the Threat Intelligence Research Lead for NETSCOUT’s ASERT Research Team. Previously, he served as Manager and Principal Analyst on the FireEye iSIGHT Intelligence’s Financial Gain team. He began his career as a Signals Intelligence Analyst with the United States Army. During the course of his service he became certified in Digital Network Intelligence and supported multiple operations overseas including a deployment to Iraq.
After departing from the Army as an enlisted soldier, he began contracting work as a Computer Network Operations analyst in support of the Army. During his tenure as a contractor, he developed many methods and procedures for conducting Cyber Discovery and trained analysts at Army INSCOM HQ’s. At FireEye iSIGHT Intelligence, he led a team of technical analysts in the tracking, reporting, and analysis of various cyber crime related malware families.
Richard can be reached online at www.netscout.com