The last few years have been banner ones for distributed denial-of-service attacks. The rise of on-demand DDoS tools and the discovery of novel vectors for carrying out attacks – e.g., targeting the legacy Network Time Protocol instead of relying on the classic DNS reflection technique – have resulted in some of the biggest DDoS incidents of all time:
- An attack against the BBC that came to light in early 2016 was reported by some outlets as the largest of all time, topping 600 Gbps. According to ZDNet, the actual size might not have been in that neighborhood, but the attack was nevertheless successful in bringing down the BBC's entire domain for more than 3 hours.
- A year before that, Arbor Networks revealed that one ISP had suffered a 400+ Gbps attack involving NTP reflection. NTP has been an important protocol – it synchronizes routers and servers with Coordinated Universal Time – but it dates to the 1980s and was more or less ignored as a major security risk until recently.
- The massive DDoS attack against CloudFlare in 2013 first brought the NTP issue into the open. Weak configurations on only a small number of servers allowed attackers to overwhelm CloudFlare with a greater amount of traffic than even the infamous Spamhaus DDoS incident, which involved seven times as many compromised servers.
DDoS has clearly become a front-and-center concern for websites, service providers and governments around the world, so what is being done to mitigate their impact? To date, these organizations have struggled to keep the growing DDoS menace in check, as recent numbers demonstrate.
DDoS frequency and severity continue to climb into 2016
The "Q1 2016 State of the Internet – Security Report" from Akamai noted that the number of DDoS attacks was up 125 percent from the previous year. Average attack duration also jumped 35 percent to more than 16 hours. Akamai also revealed that there were 19 "mega attacks" of at least 100 Gbps apiece in Q1 2016, compared to only 8 in the first quarter of 2015.
Reasons behind the DDoS surge
Why has DDoS taken off so much in recent times? There are several possible explanations here, including:
- A shift in attitude: Simple network defenses are not enough to deter would-be DDoS attackers, many of whom choose to try their luck anyway and see if the defensive measures will give in. It has become apparent that even major sites like the BBC and providers such as CloudFlare sometimes have vulnerabilities exploitable via DDoS.
- On-demand tools: Deep technical skill is no longer really needed for carrying out a DDoS attack; a 2012 Trend Micro report on Russia's cybercriminal underground revealed that one day of DDoS service cost only $30 to $70 USD. Many DDoS-as-a-service utilities provide an intuitive interface for nontechnical users.
- Rich targets: Attackers have many appealing targets to go after now. The spread of online gaming in particular has spurred a number of DDoS incidents, since even the slightest amount of latency from DDoS pressure can greatly degrade the experience for game players.
Over half (55 percent) of these attacks were against gaming sites. However, retailers were the most common targets for DDoS attacks against web applications.
DDoS attacks are blunt but effective tools for disrupting service to potentially millions of Internet users, whether to mask another cyberattack against the target or make a political point. The power of such attacks comes from their ability to harness the resources of numerous compromised servers, routers, PCs, etc.
"[A] DDoS attack involves an enormous number of spurious requests from a large number of computers worldwide that flood a target server," explained the authors of the aforementioned Trend Micro paper. "As a result, the target server spends all of its resources serving requests and becomes virtually unavailable to ordinary users. The users of the computers that are sending the fake requests may not even suspect that their machines have been hacked."
Specific DDoS attack types
In addition to weaknesses in NTP and DNS, attackers have recently been going after datagram fragmentation and even the chargen protocol as well. Between the four of them, these techniques accounted for 70 percent of the attacks documented by Akamai.
Almost 60 percent of the DDoS attacks it covered were multi-vector (i.e., using a combination of techniques instead of just one), showing that DDoS is becoming increasingly sophisticated. Attackers are going after everything from SQL injection to lingering vulnerabilities in the long since-patched Shellshock vulnerability in GNU Bash.
DDoS attacks aren't going away any time soon. Accordingly, it pays to have anti-DDoS tools and trainings that can minimize your exposure to them, along with a sensible patching strategy that ensures that known exploits are addressed as quickly as possible.