During the pandemic, Distributed Denial-of-Service (DDoS) attacks have risen in frequency and adapted to take advantage of a rise in home working, leading to costly downtime and revenue loss. Ashley Stephenson, CTO for Corero Network, examines the current situation and how to fight back.
Although Distributed Denial-of-Service (DDoS) attacks have been around for over 20 years, the concept has evolved in that time and it’s worth defining the problem space. A DDoS attack occurs when multiple systems are used to overwhelm the available bandwidth or resources of a network, application, service, or other targeted system. This overloading can cause the victim to offer a severely degraded service, or even fail completely.
While traditional DDoS focused on high volumes of bits per second to flood the network, today’s attacks use new, more sophisticated, techniques, often employing multiple attack vectors at the same time to evade legacy DDoS protection. Such attacks can result in costly downtime, lost revenue and reputation damage to organisations that rely on the Internet to do business.
Multi-vector threat
DDoS attack tactics are incredibly varied. These include massive strikes such as the 2016 assault against Domain Name Service Provider Dyn that shut down around a dozen major Internet platforms and services including Twitter, Spotify, Basecamp, Comcast, Reddit, Netflix and others that were made unavailable to millions of users in Europe and North America.
Other variants include DDoS attacks used to extract a ransom. In 2017, a UK citizen was arrested for targeting Lloyds and Barclays banks with a Mirai-powered DDoS extortion campaign. In April 2020, another UK suspect was linked with an alleged attack on seven UK banking organisations. In this case, the service used to launch the alleged attacks, WebStresser, was also successfully taken down, with its servers seized and seven individuals across Europe and North America, who were suspected of operating the service, were arrested.
However, the more insidious DDoS events are smaller attacks that do not steal as much bandwidth on their own but generate an impact due to the increased frequency or entropy of the DDoS packets hitting the network and can be costly in terms of network infrastructure downtime and maintenance. Many organisations assume that their providers are already protecting them from such attacks.
However, unless specified, most ISPs do not run protection at a per-customer level and these high intensity, short duration assaults can easily take down a company’s firewall in a matter of seconds, either blocking the flow of legitimate traffic or, possibly worse, leaving the network unprotected from infiltration, mapping, malware, or stealing of sensitive data.
COVID evolution
The pandemic has seen a shift in DDoS attack behaviour. Data from the 2020 Corero DDoS Threat Intelligence Report shows a significant increase in attacks over 10Gbps. However, as consistently reported, the vast majority (98%) of mitigated DDoS attacks are still less than 10Gbps in volume that are more difficult to detect and mitigate with manual and legacy systems. Even firewalls that claim to have built-in anti-DDoS capabilities realistically only offer a limited ability to block such attacks: typically, via the use of simplistic thresholds.
When the threshold limit is reached, every application and every user using that port gets blocked, perhaps protecting the infrastructure but causing an outage for legitimate users. Attackers know this is an effective way to block the good users along with the attack, achieving their end-goal of denying service.
With around 45% of the UK working from home at the height of the pandemic, many companies have had to resort to using VPNs to allow staff to connect remotely to corporate systems. This trend has been exploited by attackers with the report finding a year-over-year increase of nearly 400% in the use of OpenVPN reflections as an attack vector. OpenVPN as a reflection DDoS vector is bad news for the victim being attacked but, also for the organisation whose OpenVPN infrastructure is being used to launch the attack as their remote workers will suffer from a degraded, or possibly unusable, service, impacting productivity and, potentially, Business Continuity.
The report also notes that DDoS attacks are continually evolving in their sophistication, deceptiveness and frequency, and finding new ways to bypass traditional security measures. In most cases, rather than just generating massive volumes of traffic, to block an organisation’s Internet connections, cybercriminals send shorter, lower volume attacks which are designed to impact a particular server, application, or service.
In some cases, attackers seek merely to distract security staff with DDoS ‘noise’, which helps disguise their efforts to map a network for vulnerabilities, install malware, or access sensitive information.
Fighting back
In terms of countering this threat, there are key areas on which organisations should focus. Accurate and rapid detection is the first phase in effective DDoS protection. Attacks that are now able to evade legacy detection mechanisms – specifically small-scale, sub-saturating attacks – have the potential to create havoc, while IT teams struggle to identify the cause. Therefore, it is critical to implement a system that accurately monitors network traffic for both small-scale and high-volume attacks.
As packets attempt to enter the network, it is important to automatically, and accurately, classify them in real time; to determine whether they are treated as ‘good’ or ‘bad’ traffic. This granular level of analysis is essential. The inspection of all traffic, at the packet level, enables the system to provide an accurate, un-interrupted flow of good traffic.
Mitigation is the next area. Having identified the DDoS attack traffic, it is imperative to block it quickly and accurately. DDoS protection which relies on security professionals analysing the data and making relevant policy updates, or swinging attack traffic via a cloud protection service, cannot react in real-time and prevent attacks from impacting business. Only with always-on automatic protection, is it possible to reduce the time to mitigation, from the tens of minutes of legacy solutions, to the seconds required to defeat modern attacks. Time-to-mitigation is critically important, as cybercriminals only need seconds to cripple services or take websites offline.
Alongside these two priorities, it is important that infosec teams, or contracted MSSPs, have direct experience with dealing with DDoS.
There are many types of attack vectors used for DDoS and each has a different profile. Increasingly, attacks comprise of multiple vectors, either used in succession, in parallel, or a combination of the two. The cybercriminals will use whatever attack profile is necessary to complete their objective. Security teams need to know what every attack looks like – both during and after it occurred. Comprehensive visibility is key to understanding the adversary and being able to confidently communicate to the business what happened and how well the defences functioned.
Questions such as ‘how long was an attack?’, ‘how large was it?’, ‘which vectors did it use in an attempt to break through?’ and ‘was every part of the attack successfully mitigated?’ all need to be answered with confidence and evidence. It is critical to have a DDoS protection solution that not only automatically blocks all types of DDoS attacks, but also provides comprehensive visibility into each attack, delivering the intelligence and forensics needed to prepare against emerging threats.
Stay agile
As the impact of the pandemic has shown, organisations need to have a degree of flexibility built into any DDoS protection strategy. When it comes to security solutions, it’s rarely a case of one size fits all and DDoS solutions are no exception. Some solutions only operate in the cloud, some are located on-premises but must sit out-of-band because they are not high-performance enough to inspect all traffic and not all are highly automated or can scale to the needs of every environment.
A good first step is to run a free test demonstration of any DDoS protection system which will at least give your organisation a benchmark of the current level of protection – and provide recommendation of where security can be improved.
Click below to share this article