Over the past few years, distributed denial-of-service attacks have become a growing cyber security issues for private and public sector organizations. Exploitation of legacy protocols such as the Network Time Protocol has opened up new attack angles in addition to classic DNS reflection amplification, and devices like home routers have been enlisted in massive botnets capable of carrying out self-sustaining DDoS campaigns.
DDoS attacks escalate in size and impact
Moreover, there has been a trend toward greater peak bandwidth, longer attack durations and the use of DDoS as a retaliatory and political tool. A few incidents and trends worth noting include:
- The Prolexic Quarterly Global DDoS Attack Report Q2 2014 revealed that average peak bandwidth had nearly doubled between the second quarters of 2013 and 2014, while mean volume had tripled. Indeed, late last year in the wake of the Occupy Central protests in Hong Kong, CloudFlare CEO Matthew Prince stated that the largest cyber attack in history – a DDoS attempt – had been ongoing against independent media sites in the province. He characterized it as larger even than the previous record-holder, a 400 Gbps attack in Europe in early 2014.
- A wide range of perpetrators now seem capable of executing successful DDoS attacks. For example, the 2013 attempt against Spamhaus, which at 300 Gbps was the largest ever prior to the two mentioned above, was initiated by a teenager in London. At the same time, nation-states like Iran and China have been suspected in several DDoS incidents, namely a wave of 2012 attacks against U.S. banks and the aforementioned Occupy Central cyber attack, respectively. A government may also have been involved in the DDoS that hit GitHub in March 2015 and that may have been larger than what happened in Hong Kong.
- Organizations of all types have been targeted by DDoS in recent years. In addition to GitHub (a site for sharing code repositories) and the Hong Kong media, video game properties such as "League of Legends" and Electronic Arts' Origin portal, public sector institutions including the Dutch government and software companies like Evernote have all had to deal with the sustained disruption of DDoS attacks that took their sites temporarily offline.
Back in 2011, Trend Micro's Rik Ferguson predicted that DDoS attacks would escalate in the years ahead, thanks in large part to the proliferation of DIY tools that would let parties of even limited technical means put pressure on organizations around the world. Easier access to DDoS infrastructure has certainly contributed to the rapid evolution of DDoS this decade. Let's look more at this change as well as a couple of others that have reshaped what enterprise network security teams have to deal with.
Three reasons why DDoS attacks have become a bigger issue for enterprises
What actually happens when an organization is the victim of a DDoS attack? For starters, it immediately has to divert attention from running crucial operations to getting its website back in working order. A recent report from B2B International and a cyber security firm shed some light on the specifics, finding that more than half of DDoS victims experienced delays in service loading times, 29 percent saw the failure of some transactions and 13 percent reported full failure of a critical resource.
With that in mind, here are three trends in DDoS that enterprise CIOs and their teams should be aware of. Knowing the causes and characteristics of these attacks is essential for guiding investment in anti-DDoS tools and security software.
1) More protocols are being exploited
One of the big stories in DDoS last year was the emergence of NTP reflection as a viable attack strategy. NTP is a legacy protocol originally introduced in the 1980s, and its exploitation has been at the heart of some of the biggest DDoS attacks on record, such as the 400 Gbps one in 2014.
Addressing NTP vulnerabilities is not difficult; the success of NTP-based DDoS owes more to lack of attention to NTP than it does to clever circumvention of network security. The real lesson from the uptick in NTP attacks is that new routes are always being explored for DDoS and that DNS reflection amplification isn't the only game in town. One to keep an eye on is the Simple Service Directory Protocol.
"Everyone is aware of the huge storm of NTP reflection DDoS attacks in Q1 and early Q2 , but although NTP reflection is still significant there isn't as much going on now as there was – unfortunately, it is looking more and more like SSDP will be the next protocol to be exploited in this way," explained Darren Anstee of Arbor Networks, according to Threatpost. "Organizations should take heed and ensure that their DDoS defense is multi-layered, and designed to deal with both attacks that can saturate their connectivity, and more stealthy, sophisticated application layer attacks."
2) Botnets provide convenient infrastructure for DDoS
There is no lack of motive – whether political or economic – for carrying out DDoS attacks, but until recently it was difficult for many would-be cyber criminals to amass the infrastructure needed to actually go after major websites. This is no longer the case.
Just look at the attacks against several online gaming networks during the 2014 holiday season. These DDoS incidents were made possible by vast botnets of compromised home routers, which were accessible over SSH and HTTP and could be used to scan for other vulnerable machines.
Unlike other tools like the Low Orbit Ion Cannon (which Ferguson cited as an issue in his 2011 predictions), this infrastructure allows for distributed scans and does not broadcast user IP addresses. Accordingly, it is harder for security teams to track DDoS perpetrators and shut them down with tactics like rate-limiting or blacklisting.
3) Lack of encryption opens the doors for DDoS
Encryption has been a hot-button issue over the last year plus, especially in the wake of blockbuster revelations about the weaknesses in widely used mechanisms like OpenSSL. The huge DDoS attack against GitHub this year also shows how encryption, or the lack thereof, can exacerbate the trouble for targeted websites.
"Without HTTPS, anyone sitting between the Web server and the end user can modify content arbitrarily," explained Bill Budington in a post for the Electronic Frontier Foundation. "This is part of the reason we need 100% deployment of HTTPS for the entire web. At the same time, It's important to note that HTTPS isn't a complete inoculation against malicious state action."
Defending against DDoS attacks
To pick up Budington's final point, encryption must indeed be supplemented by careful protection of any associated encryption keys. Enterprise CIOs should ensure that encryption is in place in the analytics and other Web tools that their organizations use, be aware of possible DDoS attack vectors (including NTP and SSDP) and invest in network security tools that spot traffic anomalies and issues.