Since the first Denial-of-Service (DoS) attack was launched in 1974, Distributed Denial-of-Service (DDoS) attacks have remained among the most persistent and damaging cyber-attacks. This year, we’ve already seen two massive DDoS (Distributed Denial of Service) volumetric attacks that dwarf previous attacks of their type.
In February of 2020, an attacker used vulnerable third-party servers to attempt to flood Amazon Web Services with traffic at a rate of 2.3Tbps. The previous record was an attack in 2018 of 1.7Tbps. Then on June 21, an attack that reached a peak volume of 809 million packets per second (pps) was launched against a large European bank. Previously, the record was held by a 500 million pps attack that happened in January of last year.
Understanding the different types of DDoS attacks is critical to strengthening your defenses. In this post, we’ll cover five types of attacks--not all of them relying on volume--of which you need to be aware.
DDoS attack type #1: Advanced Persistent DoS (APDoS):
APDoS attacks involve massive network-layer DDoS attacks and focused application layer (HTTP) floods, followed by repeated SQLI and XSS attacks occurring at varying intervals. Typically, perpetrators simultaneously use five to eight attacks vectors involving up to tens of millions of requests per second, often accompanied by large SYN floods. These attacks can persist for several weeks.
It becomes clear that APDoS requires an array of technologies to stop these threats, including those that manifest into SMTP attacks (a relatively new vector) and secure-SMTP such as TLS over SMTP.
To successfully mitigate these threats, organizations must understand what they are dealing with and take certain precautions. As the next generation of DDoS threats emerge, organizations must become obsessive about removing risks and compulsive about action.
DDoS attack type #2: DNS Water Torture Attack
A DNS NXDOMAIN flood attack, which is also known as a water torture attack, targets an organization's DNS servers. This type of attack involves a flood of maliciously crafted, DNS lookup requests. Intermediate resolvers also experience delays and timeouts while waiting for the end target's authoritative name server to respond to the requests. These requests consume network, bandwidth and storage resources. They can also tie up network connections, causing timeouts.
By understanding the threat, an organization can comprehend two of the largest problems in solving this attack vector:
- The attacker is coming from a known legitimate source and can’t realistically be blocked while still maintaining healthy DNS resolution operations over the long term
- The attacker source is actually also querying legitimate requests at the same time illegitimate requests are being sent.
To counter this resource-draining threat, organizations should monitor their recursive DNS servers, keeping a keen eye out for anomalous behavior such as spikes in the number of unique sub-domains being queried or spikes in the number of timeouts or delayed responses from a given name server.
Any DNS attack mitigation tool must meet unique challenges. Beyond a limited set of vendors, there is no real automated solution to mitigate this threat, as the tool must contain the following attributes:
- A deep knowledge of DNS traffic behavior
- Ability to alleviate a high rate of DNS packets
- Mitigation accuracy
- Deliver the best quality of experience even under attack
DDoS attack type #3: SSL-Based Cyber Attacks
More companies are wisely encrypting both their internal network traffic, but this may be leaving them with a false sense of security. Gartner expects as much as 70% of malware attacks in 2020 to leverage encryption. These SSL-based attacks take many forms, including encrypted SYN floods, SSL renegotiation, HTTPS floods and encrypted web application attacks.
In the same way SSL and encryption protect the integrity of legitimate communications, they effectively obfuscate many of the attributes used to determine if traffic is malicious or legitimate. Most cyber-attack solutions struggle mightily to identify potentially malicious traffic and isolate it for further analysis.
The other major advantage that SSL attacks offer to attackers is the ability to put significant computing stress on network and application infrastructures they target.
Even the most advanced mitigation technologies have gaps in their encryption-based protections. Few of these solutions can be deployed out-of-path, which is a necessity for providing protection while limiting the impact on legitimate users. Many solutions that can do some level of decryption tend to rely on rate-limiting requests, thereby resulting in dropped legitimate traffic. Finally, many solutions require the customer to share actual server certificates, which complicates implementation and certificate management, and forces customers to share private keys for protection in the cloud.
To provide effective protection, solutions need to deliver full attack vector coverage, high scalability and innovative ways to handle management of encryption technologies in a manner that can be operationalized effectively and efficiently.
DDoS attack type #4: PDoS – Permanent Denial of Service
A permanent denial-of-service (PDoS) attack, also known as phlashing, is an attack that damages a system so badly that it requires replacement or re-installation of hardware. By exploiting security flaws or misconfigurations, PDoS can destroy the firmware and/or basic functions of a system.
One method PDoS uses to accomplish its damage is via remote or physical administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. In the case of firmware attacks, the attacker may use vulnerabilities to replace a device's basic software with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore "bricks" the device, rendering it unusable for its original purpose until it can be repaired or replaced. Other attacks include overloading the battery or power systems.
Permanent denial-of-service (PDoS) attacks have been around for a long time; however, this type of attack shows itself to the public from time to time only.
BrickerBot, which Radware discovered in 2017, is still probably the most well-known example. Over a four-day period, BrickerBot launched thousands of PDoS attempts from various locations leveraging Telnet vulnerabilities to breach a victim’s devices.
Assessing risks & taking action
The following behaviors and trends may increase the risk of a PDoS attack targeting your organization:
- Running a highly virtualized environment that leverages a few hardware devices, but powerfully overloads software functions.
- Organizations highly dependent on IoT
- Organizations with centralized security gateways
- Organizations that are considered critical infrastructure
The clear action to take is to conduct an audit of the type of technology you are running at or below the operating system level. Develop a clear understanding of the different firmware versions, binaries, chip-level software (like ASICs and FPGA) and technology that is in use in your environment. Also consider batteries, power systems and fan system vulnerabilities.
DDoS Attack Type #5: IoT Botnets and the economics of DDoS protection
Botnets entered the cybersecurity scene in 2016. Today, they are one of the fastest growing and fluid threats, especially as organizations connect more and more devices to the internet.
The appeal of Internet of Things (IoT) devices
For hackers, IoT devices are attractive targets for several reasons:
- IoT devices usually fall short when it gets to endpoint protection implementation
- Unlike PCs and servers, there are no regulations or standards for secure use of IoT devices
- IoT devices operate 24x7 and can be in use at any moment
Also read: New Cybersecurity Challenges: 5G, IoT and AI
Botnets: making use of different attack vectors
The Mirai botnet provides a perfect example of the various attack vectors one IoT botnet can unleash on its victims. We can all thank a user named “Anna-senpai” for publishing the Mirai source code to an easily accessible, public forum. The code spread to numerous locations, including several GitHub repositories, where hackers began inspecting it. Since then, the Mirai botnet has been infecting hundreds of thousands of IoT devices—turning them into a “zombie army” capable of launching powerful volumetric DDoS attacks. Security researchers estimate that there are millions of vulnerable IoT devices actively taking part in these coordinated bot attacks.
The economics of botnets
While much has been discussed around Mirai, IoT, “the rise of the machines” and other catchy buzz-phrases, we believe one of the most disruptive changes is the new economics model of IoT botnets.
Not so long ago, hackers were investing a great deal of money, time and effort to scan the Internet for vulnerable servers, build their zombie army and then safeguard it against other hackers. All the while, hackers would keep continual watch for new infection targets.
Now with IoT botnets, instead of spending months of effort and hundreds of dollars, bot masters can take control of millions of IoT devices with near zero cost.
Knowledge is power when it comes to DDoS attacks
To stay ahead of the threat landscape, knowledge is power. No doubt, hackers will continue to evolve these five threats, and 2020 will bring about a new array of attack vectors that seek to undermine cyber defenses and take advantage of application and network vulnerabilities. Leveraging both the in-house expertise of your organization's cybersecurity team, in addition to the know-how of your DDoS vendor will be key to staying ahead of the threat. Here at TierPoint, we specialize with helping businesses create effective IT security strategies to combat all modern cyber threats. Contact us to learn more.