The DDoS Threat Landscape is Evolving, Are You Ready?

In 2020, cybersecurity vendor, Imperva, released a report that indicates a monumental increase in distributed denial of service (DDoS) activity. Their report specifically targets the financial services industry. Imperva monitored a 30% increase in DDoS attacks from Pre-Covid to Post-Covid.

The financial services industry is not alone in being targeted by threat actors. Amazon thwarted the largest ever DDoS cyber attack in February 2020, which featured over 2.3 Tbps of packets of data flooding their Amazon Web services division!

One year later, in February 2021, a popular VPN service was hijacked and abused by hackers to carry out DDoS attacks. There are many other DDoS attack stories both published and unpublished. The 11 biggest DDoS ransom cyber attacks of 2020 resulted in victims spending nearly $144 million for investigating, rebuilding networks, or paying ransoms.

The DDoS Threat Landscape is evolving at a record pace. So how can you be prepared for this risk in your business?

The DDoS situation continues to become more challenging for businesses. Threat actors are constantly evolving DDoS tactics, techniques, and procedures (TTPs). These counteract industry-wide mitigation efforts. The SecurityMetrics Threat Intelligence Center (TIC) continuously assesses its security paradigm and makes alterations in order to stay apprised of any new TTPs.

The sophistication and diversification of attack vectors led to a 50% jump in DDoS ransom attacks in the third quarter of 2020 versus 2019. The DDoS Protection industry is predicting an increase in demand for DDoS Protection Services and Software from 2020 - 2028. It’s important we take a moment to discuss the reasons why DDoS attacks are on the rise and how the future looks when trying to stop this type of attack on your business.

DDoS Background

The SecurityMetrics Threat Intelligence Center perceives distributed denial of service (DDoS) attacks as one of the more challenging and puzzling types of criminal activities. DDoS attackers thrive on causing havoc, disarray, and disruption of your network through a variety of vectors and methods. There are no less than 26 different types of DDoS attacks! It is no longer about wreaking havoc and disruption since some threat actors have now begun monetizing DDoS attacks in the form of DDoS ransom demands to get your network back online.

When threat actors launch DDoS attacks on your organization, they essentially slow your website or infrastructure to an absolute crawl. This results in slow website response times, dropped connections, failed payment card transactions, and employee “waiting/waisted time.” DDOS may also prevent customers from logging into your website which could motivate them to move on to a competitor. A great definition can be found here, which explains how distributed denial of service (DDoS) attacks operate.

DDoS Evolution & Greater Sophistication

What makes the DDoS situation even more challenging for our experts in the SecurityMetrics Threat Intelligence Center (TIC) is how threat actors are constantly evolving, changing, and improving their DDoS attack tactics, techniques and procedures (TTPs) to counteract industry wide mitigation efforts. The sophistication and diversification of attack vectors led to a 50% jump in DDoS ransom attacks in the third quarter of 2020 versus 2019.

Additionally, what is emerging now into 2021 is a retooling of DDoS attack vectors. The SecurityMetrics Security Operations Center is diving into our understanding of new tactics and techniques that are emerging with greater sophistication. One new DDoS attack vector was discovered in the Datagram Congestion Control Protocol (DCCP) which abuses the three-way handshake that occurs at the start of the DCCP connection. Another new DDoS attack vector that has emerged is DDoS-for-hire services actively abusing misconfigured or out-of-date Datagram Transport Layer Security (DTLS) servers to amplify their attacks.

Future Trends: DDoS Attacks are Increasing 2020 - 2028

Looking back on 2020, an odd trend occurred towards the back half of the year. Kaspersky Labs reported seeing an abnormally high number of DDoS from Q1 to Q2. Just in Q1 2020 alone, the number of DDoS attacks over 100 GBs in volume increased 776 percent as reported in the Cisco Annual Internet Report.

In Q3 2020, we actually saw some calm in the DDoS threat landscape as DDoS threats tapered off slightly. You may be wondering why there were fewer DDoS attacks globally in Q3 2020. Many industry experts, including the SecurityMetrics Threat Intelligence Center (TIC), feel this is most likely due to a global shift of more remote workers operating out of their home office versus using their business infrastructure.

Additionally, what is now emerging in 2021 is a retooling of DDoS attack vectors. The trend lines indicate more multi-vector DDoS attacks featuring quick succession, short duration, or repetitive tactics that attempt to evade any protection measures your business may have.

A major DDoS concern you should consider is mitigating sustained attacks that feature daily, low-level metric, low volume attacks that can go unnoticed or unreported by your internet service provider (ISP). 95% of all DDoS attacks are categorized as sub-5 Gbps attacks which your customers would find annoying if your website returned connection errors, your business server went offline or network resources were inaccessible. This is also being combined with an increase in major global Ransom Denial of Service campaigns featuring extortion based campaigns motivated by financial gain versus simply disrupting your network operations.

Should remote workers or small businesses be concerned?

Remote workers and small businesses may believe they have less to be concerned about, as these attacks frequently focus on larger enterprises. However, computers at these locations are still potentially vulnerable to becoming part of a botnet, and they may assist in an attack on another business. This is why it is increasingly important to train employees to avoid malicious websites, pay close attention to possible phishing emails, and keep their devices up to date with the latest security patches.

Endpoint protection that goes beyond just simple antivirus tools are also becoming essential.

The threat landscape is increasing for companies that have remote workers as well. VPNs may offer some protections; however, they may not stop a compromise from a home location from spreading through the company network. Consider talking to SecurityMetrics about how to protect your remote workers with our Pulse Protection.

DDoS Protection Best Practices

You have a few options to consider, including having DDoS conversations with your ISP. You may also want to consider bringing on a partner, such as SecurityMetrics, which has the capability to help with security assessments and Security Operations Center threat monitoring.

1. Develop your DDoS Defense Plan: Develop a proactive, strategic approach to review your business’s infrastructure to identify areas of weakness. At a minimum, you want to ensure your plan is not reactive.
   
   Defense plans should:
   • Prevent Denial of Service (DOS) Attacks: A condition caused by an excess of traffic intentionally sent from a single host to a victim host or application that is either unusable or unavailable to legitimate users.
   • Prevent Distributed Denial of Service (DDoS) Attacks: Where the victim is flooded with traffic from multiple sources, making it particularly difficult to stop. Traffic amounts can be over 1.5 Tbps.
2. Perform your own DDoS Security Risk Assessment: There are many FREE templates available to ensure you don't miss any area that may be vulnerable to DDoS or DoS attacks. At a minimum your risk assessment should include:
   • Have an updated list of assets: Be sure you have an updated list & inventory of all hardware, software, and devices that are directly connected or exposed to the internet
   • Have a list of IP addresses: Ensure you have a catalog of all strategically important, internet facing, (and non facing) exposed IP addresses. Be sure your IT staff knows what needs to be protected during an attack.
   • Assess your technical & operational DDoS strategy: This includes ensuring you have layered defense in depth IPS, firewall, VPN, anti-spam, content filtering, etc
   • Assess your ISP DDoS mitigation technologies: This includes examining your cloud based DDoS mitigation services, ISP DDoS tools and any always on solutions
3. Perform your own simulated DDoS / DoS attack: There are many FREE open source tools to help you in this journey to test your business. They include but are not limited to:
   • Hping3 is a Kali Linux open source packet crafting tool that allows you to set the type of packet you want to simulate (e.g., TCP, UDP, ICMP), as well as the speed at which you send them to test your network. It is an active network smashing tool that simulates DoS attacks specifically for the creation of HTTP GET and POST requests for web application attacks
   • HULK is an acronym for HTTP Unbearable Load King. HULK is a web server DoS tool which was created to help find easily observable patterns by hitting your server’s direct resource pool with a high volume of unique and obfuscated traffic. This makes it an easier task for testing your detection and mitigation efforts.
   • GoldenEye is another open source, HTTP DDoS attack testing tool. Although the tool is no longer maintained, it has a fervent community of supporters who use it for the HTTP Keep Alive + No Cache attack vector. This means you can send keep-alive packets to a given host that you want to test. This creates an illusion of a flood of active users connecting (and staying connected) to a targeted host.
4. Reassess your DDoS / DoS Response Plan: This area of focus includes ensuring your Incident Response team is identified with a list of internal and external contacts. You will want to have written and documented DDoS / DoS escalation, mitigation, and response policies, procedures, and playbooks. Be sure they are updated regularly as your environment, operations, or business changes.
   
   You also want to facilitate regular DDoS response events and table top exercises with the key players.
   

Takeaways

If you plan to implement multiple DDoS / DoS protection strategies, then consider doing them in parallel.

Typically, what the SecurityMetrics Security Operations Center sees is organizations have the best intentions on this DDoS journey, but as distractions occur, focus decreases. Things like DDoS assessments, DDoS testing, and table top exercises fall apart as the team lead gets pulled into their day-to-day responsibilities. This is why SecurityMetrics recommends taking on a partner or service provider to help ensure no areas of focus get left behind and a best effort is put forth by all involved.