What's new for DDOS attacks?
Date : November 07, 2021
It is regularly announced that a new record has been broken in DDOS attacks, either in terms of volume (Tera-bits per second) or in the number of packets sent to the victim (Million packets per second). Since mid-2020, there has also been talk of Ransom-DDOS (RDDOS), i.e. blackmails against companies that ask for a ransom to avoid a DDOS attack that would block Internet access.
This article provides an update on DDOS attacks, by:
- Recalling what is known historically about these attacks,
- Looking at the reports published this year by several companies specialized in the fight against DDOS (CloudFlare, Netscout/Arbor, Radware) or by more generalist providers (Kaspersky)
An attack within the reach of many actors
With the network speeds currently offered to the consumers (with fiber or 4G), it is easy to generate a significant volume during attacks. And if he takes control of a set of vulnerable computers, any novice hacker can probably build a personal botnet capable of disrupting his neighbour.
This has been true for a long time (as seen with the IRC wars in the 2000s), but the phenomenon has grown with the appearance of mega-botnets like Mirai (in 2016) that infect Linux-based IOTs connected to the Internet.
The DDOS attack is probably the easiest attack to carry out: psychologically (blocking a site may seem less serious than illegally penetrating it) and technically (the main difficulty is probably the fight between botnets owners to keep the control of infected devices). The attacker can either set up his own botnet or buy the services of an existing botnet on the Darkweb. And if he has the money to pay (for example if he has already earned bitcoins with other illegal activities) this second solution is clearly the easiest one. As Cloudflare's figures later in the article show, a large proportion of DDOS attacks remain small and go unnoticed. They are probably infighting between rival groups on the Internet. But some of these attacks do result in larger blockages.
What are the motivations of the attackers?
For a long time, some DDOS attacks have been motivated by financial gain. For example, in the 2000s (2005?), there was regular reports for DDOS attacks and blackmail against online betting sites (in England for example).
Another historical motivation is the political or ideological claims. For example, in 2010, Anonymous became known with spectacular DDOS attacks for political claims.
Finally, there has often been talk about "smokescreen" attacks where a DDOS is launched to divert attention during the main attack.
What's new in 2021?
Vendor reports continue to regularly indicate an increase in DDOS attacks.
New attack techniques are discovered (Kaspersky reports regularly address this), but it seems that few of them are quickly integrated into attack tools. According to reports from Cloudflare or Radware, the vast majority of attacks remain the classical ones:
- HTTP DDOS (Layer-7 attacks) where the targeted website is overwhelm by regular requests. The MERIS botnet (discovered in September 2021) seems to be particularly efficient in this field (see for example this article from TheRecord.media).
- Network DDOS (Layers 3 and 4 attacks) where the attacker exploits well-known abnormal packets such as SYN flood, etc.
In terms of volume, the current records given by Netscout / Arbor are for H1-2021:
- In intensity: 675 Mpps (Million packets per Second)
- In volume: 1.5 Tbps (Tera bits per Second)
Cloudflare in its report for Q3 2021 gives some interesting figures:
- Mirai botnets have exceeded 1 Tbps several times
- 95% of attacks are less than 500 Mbps, and only 0.5% exceed 10 Gbps
- 89% of attacks are less than 50 Kbps, and only 0.5% exceed 10 Mbps
- 94% of attacks last less than an hour, and 0.45% last more than 6 hours
Ransom DDOS (also known as R-DDOS)
These R-DDOS attacks were seen in September 2020, especially in France, and we reported them as one of the major events for 2020 (see our annual review).
They consist in threatening a company and tell it that a DDOS attack will be launched if a ransom is not paid. They are accompanied by a demonstration attack that shows the victim that the threat is real. Attackers have often posed themselves as infamous attacker groups like Lazarus or (more recently) REvil. To our knowledge, these attacks have had little success and often the attacker turned to another victim, after a few hours of DDOS disruption, if the victim does not pay (or respond).
All the reports we read mention these attacks (Cloudflare has a specific section on this topic) and indicate that this type of attacks continued to occur throughout 2021. Cloudflare indicates in its latest report that VoIP services of operators have been particularly targeted by these attacks (SIP attacks) in Q3 2021.
Conclusions
DDOS remains a very present threat. Compared to the 2000's when ransom attacks targeted online gambling sites, DDOS attacks can now target any business, since all businesses are increasingly dependent on their connectivity to the Internet (due to the Cloud, and teleworking). However, it is clear that the more the company's activity depends on the Internet, the more these DDOS attacks are harmful. In general, these companies set up On-demand or Permanent protections (as described below). It is likely that other companies are just relying on a simple On-premise protection and wait for an actual crisis before switching to a stronger protection. In any case, it is important to avoid paying the ransom:
- Some groups send threats but never go on the attack,
- others abandon their attacks after a few hours.
Netscout explains that the elements that the company must protect are:
- DNS servers (an unavailable DNS makes all servers unreachable)
- VPN servers (used for example for teleworking)
- Servers exposed on the Internet.
In terms of protection, 3 levels of protection are generally proposed:
- On-premise protection: protection equipment is placed in front of the protected company.
- On-demand Cloud protection: when an attack occurs, traffic destined for the company is redirected to the DDOS solution provider. This one filtered and cleaned before being delivered to the company.
- Continuous Cloud Protection: Traffic cleaning is performed continuously, or is automatically triggered when certain thresholds are reached.
For more information:
