DDoS Defense Archive

DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic.

The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago, with amplification attacks using the domain name system (DNS) remaining the most popular technique for attacking targets.

DNS amplification attacks accounted for 45% of the attacks, while HTTP floods and TCP SYN attacks accounted for 14% and 7.7%, respectively, according to new data published by network security firm Nexusguard.

Mobile devices continued to be a significant source of attack traffic, with 41% of attacks coming from mobile gateways and three-quarters of that traffic coming from Apple iOS devices, according to the Nexusguard report. Internet of things (IoT) devices also continue to be compromised and used by attackers, says Tony Miu, Nexusguard’s research manager.

Mobile devices and Internet-of-things (IoT) devices “are particularly vulnerable — in part due to their always-on nature, in part due to insufficient security configurability,” he says, warning that “the amplification of speed, higher bandwidth, and reduced latency offered by 5G will also create a perfect environment for massive DDoS attacks that leverage enormous botnets comprised of PCs, smartphones, and IoT (devices).”

There were no major shifts in the denial-of-service landscape overall: Attacks tend to peak in the first quarter, decreasing every quarter after that, until attacks end the year on a slightly higher note. That trajectory happened in 2018, and appears to be happening this year. The vast majority — 86% — of attacks latest less than 90 minutes, and 90% of attacks involved less than 1 Gbps of data.

DNS DDoS via Apple iOS 

Mobile devices became a significant vector earlier this year. In the first quarter, more than 60% of application attacks — one of three broad classes of denial-of-service attacks — could be traced back to mobile gateways and either came from a mobile device or a computer connected to a mobile device. The latest quarter underscores that mobile devices have become increasingly used in volumetric and amplification attacks — Nexusguard’s other two broad categories — with mobile devices contributing to those attacks as well.

While Apple devices typically do well security-wise compared to Android, Nexusguard found that 31% of all DNS attacks came from Apple devices, versus 10% from Android devices.

“While Apple has done a great job in managing, checking, and maintaining the security of apps available for download at the App Store, we believe there are a considerable number of iOS devices were jailbroken, running unauthorized (and) malicious apps that have not been vetted by the App Store,” says Nexusguard’s Miu.

Overall, the company saw a steep rise in DNS amplification attacks. While amplification attacks more than doubled since the same quarter in 2018, DNS amplification attacks — which use the relatively large size of DNS responses to inundate a target — jumped by a factor of 48 in popularity.

The technique gives the attacker a lot of bandwidth for only a little effort, the company stated in its report.

“The target thus receives an enormous amount of responses from the surrounding network infrastructure, resulting in a DDoS attack,” the report said. “Because such a sizable response can be created by a very small request, the attacker can leverage this tactic to amplify attacks with a maximum amplification factor of 54.”

The adoption of DNS security, or DNSSEC, has contributed to that rise, according to Miu. “While it’s true that DNSSEC fixes one problem, it creates another,” he says. “The problem with DNSSEC lies in the exceptionally long responses DNSSEC-enabled servers generate.”

Along with DNS amplification attacks, single-vector attacks have quickly dominated again. Two-thirds of attacks used only a single technique to flood a target. Another 17% used two vectors, either simultaneously or soon after one another, to confuse defenders. The remaining 17% used three or more vectors.

Much of the rise in single vector attacks is because of attackers’ focus on DNS amplification, Miu says.

China, Turkey, the US, and South Korea topped the lists of nations from which attack emanated, accounting for 63% of attacks tracked by Nexusguard in the third quarter. Three networks, one in Turkey, another in China and the lsat in Korea, accounted for almost 40% of attacks.

Source: https://www.darkreading.com/attacks-breaches/mobile-devices-account-for-41–of-ddos-attack-traffic/d/d-id/1336635

DDoS – or distributed denial-of-service attacks – first came to prominence in the late 1990s. Even now, they are one of the biggest threats to any organization doing business on the internet.

What is DDoS?

Distributed denial-of-service (DDoS) attacks are a way of attacking online infrastructure, including websites and online applications, by overwhelming the host servers.

This prevents legitimate users from accessing the services.

The term ‘distributed’ refers to the way these attacks invariably come from a large number of compromised computers or devices.

“They can be a relatively simple type of attack to trigger and for sites without enough protection very effective”, says Gemma Allen, senior cloud security architect at Barracuda Networks.

The aim is to interrupt normal operation of the application or site, so it appears offline to any visitors.

“A DDoS puts so much traffic in the queue that your browser thinks the site is offline, and gives up,” says Brian Honan, Dublin-based security expert at BH Consulting. “The legitimate traffic can’t get through.”

What are the aims of a DDoS attack?

The purpose might be blackmail, to disrupt a rival business, a protest (DDoS attacks are frequently associated with hacktivist groups) or as part of a nation-state backed campaign for political, or even quasi-military aims.

The 2007 attack on Estonia was a DDoS attack.

Security researchers also point to DDoS attacks being used as a diversion, allowing hackers to launch other exploits against their targets, for example to steal data. This is what is believed to have happened during the attack on TalkTalk in 2015.

And, as Tim Bandos, vice president of cybersecurity at Digital Guardian, warns, DDoS attacks are not limited to online applications or websites. Any internet-connected device is at risk.

That broadens the attack surface to critical national infrastructure, including power and transportation, and the internet of things (IoT) devices.

How does a DDoS attack work?

“In their simplest form, DDoS attacks work by flooding a service with more of something than it can handle,” says Barracuda’s Allen.

“Of course, in reality, it’s not this simple, and DDoS attacks have been created in many forms to take advantage of the weaknesses.”

Allen explains that an attacker will start out with a discovery phase, setting out to identify weakness in the target site or application. They might even use a different form of DDoS to cover up that activity.

Then the attacker choses the best tool to exploit the site. They might buy an exploit on the dark web, or create their own.

On their own, though, most denial-of-service malware will have a limited impact on a well-resourced server. A DDoS attack works by operating at scale.

As Joseph Stalin supposedly said of the Red Army during WW2, “quantity has a quality all [of] its own”. So with DDoS. The exploits themselves are simple, but launch enough of them and they will overwhelm even the best systems.

To do this attackers build, or buy, a large enough “Zombie network” or botnet to take out the target. Botnets traditionally consisted of consumer or business PCs, conscripted into the network through malware. More recently, internet of things devices have been co-opted into botnets.

It’s claimed, for example, that the Marai botnet can be rented for $7,500 per attack.

“If we look at the DynDNS attack of 2016, one of the largest DDoS attacks to date, the attack occurred in phases,” says Allen.

“It first appeared in a single region and then expanded to a concerted global effort from millions of computers that had been breached and turned into a botnet.”

Types of DDoS attacks

A DDoS attack ranges from the accidental – genuine users overwhelming the resources of popular sites, such as in a ‘Reddit hug of death’ – to sophisticated exploits of vulnerabilities.

Simple attacks include the ‘Ping of Death’ – sending more data to the host than the Ping protocol allows, or Syn Flood, which manipulates TCP connection handshakes.

More recent and sophisticated attacks, such as TCP SYN, might attack the network whilst a second exploit goes after the applications, attempting to disable them, or at least degrade their performance.

James Smith, head of penetration testing at Bridewell Consulting, points to three common forms of DDoS attacks:

  • Volumetric attacks
  • Protocol attacks
  • Application (layer) attacks

“All of these render the targets inaccessible by depleting resources in one way or another,” he says.

One of the largest, and most damaging, forms of DDoS is now the UDP amplification attack. UDP is spoof-able. And, as Corey Nachreiner, chief technology officer at WatchGuard Technologies points out, very small UDP requests can generate large bandwidth attacks.

“UDP amplification gives threat actors asymmetric DDoS power. The most recently discovered UDP amplification attacks can magnify the traffic of one host by a factor of 10,000 or more. When combined with traditional botnets, this gives attackers enough DDoS power to affect ISPs.”

Currently, a memcached UDP amplification attack – which don’t need botnets – holds the DDoS record, with 1.7tbps of bandwidth.

What is the impact of a DDoS attack?

A DDoS attack affects victims in a number of ways:

  • Damage to reputation
  • Damage to customer trust
  • Direct financial losses
  • Impact on critical services
  • Impact on third parties and ‘collateral damage’
  • Data loss
  • The direct and indirect cost of restoring systems

What is the cost of a DDoS attack?

According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million.

Another report, by Netscout, calculates that the combined annual costs of DDoS attacks to the UK economy is close to £1 billion ($1.3 billion).

Akamai, another vendor in the space, publishes an online DDoS cost calculator.

The exact cost of a DDoS attack will, though, depend on the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy. This could range from a few tens of thousands of dollars to millions.

In the case of a nation-state attack or an attack on critical national infrastructure, the cost could be far higher – leading to social unrest or even the loss of life.

So far, no deaths have been attributed directly to DDoS attacks, but the economic impact is all too real.

How long does a DDoS attack last?

Again, this depends on the attacker, the target and their defenses. An attack might succeed in just a few moments, if the victim’s servers have few defenses. But the consensus in the industry is that an attack will last up to 24 hours.

According to Cloudflare, the largest DDoS attack – so far – against GitHub lasted about 20 minutes, due to the effectiveness of the site’s defenses.

If an attack does not take down the target in 24 hours, it does not mean the victim’s sites or applications are safe. Attackers can simply move on to another botnet, and try again with more data, or by using a different range of exploits.

Are DDoS attacks illegal?

“In the UK the Computer Misuse Act 1990 ‘makes it illegal to intentionally impair the operation of a computer or prevent or hinder access to a program/data on a computer unless you are authorized to do so’. As a result, these types of attacks are criminal under UK law,” says Bridewell Consulting’s Smith.

But law enforcement can only act if they can find the attacker. “The biggest challenge can be finding the people to prosecute,” says Barracuda’s Allen.

“The attacks are distributed and the attacking devices are often unwitting parties. The true attackers are hard to trace and while they may claim an attack, it’s not like they give out their real names.”

Recent DDoS attacks

Not all DDoS attacks are in the public domain, but here are some that made the headlines:

  • UK Labour Party, November 2019: Hacker group Lizard Squad claimed responsibility for an attack which attempted – but failed – to take down the political party’s website.
  • Wikipedia, September 2019: The site was subject to a three-day long attack, which took it offline in EMEA and slowed it down in the US and Africa
  • Telegram, June 2019: This attack is attributed mostly to China-based IP addresses
  • UPNProxy, November 2018: the Eternal Blue and Eternal Red attacks involved 45,113 infected routers.
  • GitHub, February 2018: Still cited as the largest-ever DDoS attack, at a massive 1.7tbps.
  • Dyn, 2016: Attack against US DNS provider, best known because the attack used IoT devices running Mirai malware

How to prevent a DDoS attack from happening

Dozens of vendors offer web application firewalls (WAFs), often directly through hosting providers, with the cost starting at just a few dollars a month. Businesses can also implement hardware-based DDoS mitigation hardware, at their network edge.

At the enterprise scale, the large distributed network companies, such as Akamai and Cloudflare, offer high-end, distributed DDoS protection. So do vendors, such as Verisign, HPE, and Cisco.

The most basic defense against DDoS is a DIY approach, monitoring and then shutting down requests from suspect IP addresses.

Although this approach is largely free, Brian Honan warns it is unlikely to be effective, especially against sophisticated, large-scale attacks. He also recommends that organizations place their defenses as far away as they can from their servers.

“You might be able to deal with a DDoS in your datacenter, but all of your internet pipe will be used up. So it is questionable how effective that will be,” he said.

Planning is another key element of any DDoS mitigation strategy.

“Having a plan and procedure in place in case of a DDoS attacks is paramount and having monitoring capabilities in place to detect attacks is highly advised,” says Bridewell’s James Smith.

“Organizations also need to have a well implemented patching policy and ensure anything externally facing is up-to-date to help guarantee that any service software that may contain DDoS vulnerabilities is patched in a timely manner.”

Source: https://portswigger.net/daily-swig/what-is-ddos-a-complete-guide

Vancouver, Canada, December 10, 2019 –(PR.com)– DOSarrest rolls out new advanced mitigation capabilities for their cloud based DDoS protection for infrastructure platform known as “Data Center Defender (DCD).” With the addition of AI to this platform, DOSarrest can now automatically mitigate even the most sophisticated attacks on this service. This major upgrade with real-time AI created algorithms does not even require a learning period. Packet by packet analysis enables the system to weed out even the most elusive attacks and automatically block them.

DOSarrest CTO, Jag Bains states, “While the DCD Network has been very successful in dealing with volumetric and protocol flood attacks for a number of years now we remain committed to upgrading and evolving the service. In conjunction to continually increasing the capacity of the DCD Network, we’ve also upgraded the capabilities of DCD with automated routing isolation of targeted IP’s through sophisticated analysis on our Big Data Platform. The targeted IP is automatically routed to an additional layer, that allows for more sophisticated challenges and mitigation capabilities of malicious traffic.”

Jag Bains adds, “This new capability doesn’t require any learning mode making mitigation ultra fast, it can pick-up anomalies based on combinations of source/destination ports, IP Protocols, TTL, packet lengths and payload patterns, and much more. It even detects and stops malicious traffic that has anomalous TCP flag combinations.”

DOSarrest CEO, Mark Teolis comments, “The traffic isolation and mitigation operates asymmetrically and happens within seconds, all automatically. The ability to automatically isolate targeted IPs gives us a future roadmap to add even more sophisticated security measures that will scale easily…Watch this space.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

Source: https://www.pr.com/press-release/801141

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization Greatfire.org. The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.

Source: https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/

Internet service providers in South Africa fell prey to massive distributed denial of service (DDoS) attacks this past weekend.

RSAWEB subscribers were among the first to feel it, with the company issuing a notice at 01:56 on Friday morning stating that it was under attack. By 12:38, RSAWEB reported that the DDoS attack had abated and that services were stable.

Cool Ideas was next to be hit. It sent out a notice to subscribers on Saturday morning to say that it was experiencing problems on its network.

It later confirmed that it was facing the largest DDoS attack it had ever seen on its network. Cool Ideas co-founder Paul Butschi told MyBroadband that the size of the attack exceeded 300Gbps.

Butschi said the attack traffic statistics came from Cogent Communications and Hurricane Electric in London. Of the total traffic hitting their network, roughly 40Gbps was legitimate.

Attack on Afrihost, Axxess, and Webafrica

On the evening of Saturday, 23 November, the upstream provider supplying services to Afrihost, Axxess, and Webafrica came under attack. All three ISPs use Echo Service Provider.

Echo, in turn, appears to have a partnership with Liquid Telecom for international transit — Internet traffic that goes outside South Africa.

During previous attacks on Echo SP, Liquid Telecom helped to mitigate the attack. MyBroadband asked Liquid Telecom for details regarding the attack that crippled Afrihost, Axxess, and Webafrica on Saturday.

“Liquid Telecommunications can confirm that during the course of [Saturday] night an attack was initiated against one of our South African clients,” a spokesperson for the company said.

“This attack was similar in size and scale to previous attacks reported on. The attack was mitigated within minutes of being seen and the network has been stable without incident since the mitigation was performed.”

The previous attack on Echo SP on 27 October was in excess of 100Gbps. Liquid Telecom’s comments suggest that the most recent attack was around the same size.

Afrihost clients continued to complain that they were having trouble connecting to international services on Saturday evening.

On Sunday morning, MyBroadband forum members noticed that outbound international traffic from Afrihost was no longer flowing over Liquid Telecom’s network, but Telkom’s.

Another forum member found that Echo SP had only switched away from Liquid Telecom for outbound international traffic from South Africa. Inbound traffic from international sources was still being routed over Liquid Telecom’s network.

MyBroadband asked Afrihost, Webafrica, and Echo Service Provider for comment, but they did not respond by the time of publication.

Distributed denial of service and carpet bombing

A DDoS attack is a flood of garbage Internet traffic sent to servers, routers, and other computers on a network with the aim of making it impossible to communicate with them.

Under ordinary circumstances, generating 100Gbps or 300Gbps of traffic would require tremendous resources.

However, techniques such as DNS Amplification have made it easier and cheaper for attackers to generate large volumes of attack traffic than ever before.

DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic. If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.

Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.

DNS servers are a popular choice for such attacks because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.

Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term “DNS Amplification”.

When the target of such an attack is a web server or critical network infrastructure, such a DDoS attack causes an outage. Network providers have developed methods to mitigate such attacks, and so attackers have found new ways of launching effective assaults.

One such technique is “carpet bombing“, where an Internet service provider’s individual customers are sent large volumes of garbage network traffic.

In some cases, the individual connections of customers are flooded. However, even when the traffic is not enough to flood a subscriber’s connection, the overall traffic on the network eventually adds up to a point where the ISP’s core network infrastructure can not cope with the load.

Carpet bombing attacks are specifically used against organisations like ISPs with the aim of bringing down their whole network.

Data centre operators, web hosting companies, and large corporate networks – anyone who runs their own pool of IP addresses – are also examples of potential targets of carpet bombing attacks.

Source: https://mybroadband.co.za/news/internet/329539-massive-ddos-attacks-south-african-internet-providers-crippled.html