DoS Attacks Archive

Kaspersky identified a significant increase in DDoS attacks year-on-year.

According to cybersecurity firm Kaspersky, it’s been a busy year for cybercriminals who favour DDoS as their method of attack.

The Russian firm’s DDoS protection tool reportedly blocked 44 percent more attacks in Q4 2019 than in the same period the previous year.

Sundays were also busier than ever, highlighting the ever present nature of the threat posed by cybercrime. More than a quarter (28 percent) of all attacks happened on weekends, and the share of attacks performed on Sundays grew by 2.5 percent (to 13 percent overall).

Despite DDoS attacks growing year-on-year, they haven’t risen dramatically quarter-on-quarter. There was a “marginal” 8 percent increase between Q3 and Q4 2019, Kaspersky says.

A more notable rise (27 percent) was spotted in so-called smart DDoS attacks, which focus on the application layer and are usually carried out by skilled attackers.

“Despite the significant growth in general, the season turned out to be quieter than expected,” said Alexey Kiselev, Business Development Manager on the Kaspersky DDoS Protection team.

“Attackers can still find a way to spoil your leisure time, as cybercrime is not an ordinary nine-to-five job, so it is important to ensure that your DDoS prevention solution can automatically protect your web assets.”

Source: https://www.itproportal.com/news/ddos-attacks-through-the-roof-in-q4-2019/

 

The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks.

The last 30 days has seen a renewed increase in distributed denial-of-service (DDoS) activity, according to researchers, who said that they have observed a number of criminal campaigns mounting TCP reflection DDoS attacks against corporations.

Researchers at Radware said that the list of victims include a number of large companies, including Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.

The first major event in October took the Eurobet network down. Eurobet, an online sports gambling website, suffered a campaign that persisted for days and impacted several other betting networks, according to Radware.

Then, later in October, amid a flurry of DDoS attacks targeting companies in nearly every vertical around the world, the firm identified another large-scale multi-vector campaign surfaced that targeting the financial and telecommunication industry in Italy, South Korea and Turkey.

“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” the researchers noted. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”

The activity is a continuation of an uptick in attackers leveraging TCP reflection attacks that began in 2018, according to the firm. These tend to be low bandwidth, but they generate high packet rates (increased volumes of packets per second) that require large amounts of resources from network devices to process the traffic and cause outages. That’s why large corporate and telecom networks are often targets, Radware researchers explained.

The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks. In this scenario, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. If the victim does not respond, the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which can be defined by the attacker.

Most of the targeted networks did not respond properly to the spoofed requests, which would have disabled the TCP retransmit amplification, according to the analysis.

The impact range of these kinds of campaigns is significant, according to Radware, degrading service at the targeted networks as well as reflection networks across the world.

“Not only do the targeted victims, who are often large and well-protected corporations, have to deal with floods of TCP traffic, but randomly selected reflectors, ranging from smaller businesses to homeowners, have to process the spoofed requests and potential legitimate replies from the target of the attack,” researchers wrote in a recent post. “Those that are not prepared for these kinds of spikes in traffic suffer from secondary outages, with SYN floods one of the perceived side-effects by the collateral victims.”

In the more recent TCP reflection attacks, the firm’s forensics showed that the attackers leveraged a large majority of the internet IPv4 address space as reflector, with a spoofed source originating from either bots or servers hosted on subnets and by without IP source address verification.

The 2019 activity follows an 11 percent dip in the number of DDoS attacks in the fourth quarter of 2018, following the FBI’s crackdown on 15 DDoS-for-hire sites.

Source: https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/

Various implementations of HTTP/2, the latest version of the HTTP network protocol, have been found vulnerable to multiple security vulnerabilities affecting the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.

Launched in May 2015, HTTP/2 has been designed for better security and improved online experience by speeding up page loads. Today, over hundreds of millions of websites, or some 40 percent of all the sites on the Internet, are running using HTTP/2 protocol.

A total of eight high-severity HTTP/2 vulnerabilities, seven discovered by Jonathan Looney of Netflix and one by Piotr Sikora of Google, exist due to resource exhaustion when handling malicious input, allowing a client to overload server’s queue management code.

The vulnerabilities can be exploited to launch Denial of Service (DoS) attacks against millions of online services and websites that are running on a web server with the vulnerable implementation of HTTP/2, knocking them offline for everyone.

The attack scenario, in layman’s terms, is that a malicious client asks a targeted vulnerable server to do something which generates a response, but then the client refuses to read the response, forcing it to consume excessive memory and CPU while processing requests.

“These flaws allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash,” Netflix explains in an advisory released Tuesday.

Most of the below-listed vulnerabilities work at the HTTP/2 transport layer:

  1. CVE-2019-9511 — HTTP/2 “Data Dribble”
  2. CVE-2019-9512 — HTTP/2 “Ping Flood”
  3. CVE-2019-9513 — HTTP/2 “Resource Loop”
  4. CVE-2019-9514 — HTTP/2 “Reset Flood”
  5. CVE-2019-9515 — HTTP/2 “Settings Flood”
  6. CVE-2019-9516 — HTTP/2 “0-Length Headers Leak”
  7. CVE-2017-9517 — HTTP/2 “Internal Data Buffering”
  8. CVE-2019-9518 — HTTP/2 “Request Data/Header Flood”

“Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the advisory states.

However, it should be noted that the vulnerabilities can only be used to cause a DoS condition and do not allow attackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers.

Netflix security team, who teamed up with Google and CERT Coordination Center to disclose the reported HTTP/2 flaws, discovered seven out of eight vulnerabilities in several HTTP/2 server implementations in May 2019 and responsibly reported them to each of the affected vendors and maintainers.

According to CERT, affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft (IIS), Cloudflare, Akamai, Apple (SwiftNIO), Amazon, Facebook (Proxygen), Node.js, and Envoy proxy, many of which have already released security patches and advisories.

Source: https://thehackernews.com/2019/08/http2-dos-vulnerability.html

Popular chat service Discord experienced issues today due to network problems at Cloudflare and a wider internet issue. The app was inaccessible for its millions of users, and even Discord’s website and status pages were struggling. Discord’s problems could be traced to an outage at Cloudflare, a content delivery network. Cloudflare started experiencing issues at 7:43AM ET, and this caused Discord, Feedly, Crunchyroll, and many other sites that rely on its services to have partial outages.

Cloudflare says it’s working on a “possible route leak” affecting some of its network, but services like Discord have been inaccessible for nearly 45 minutes now. “Discord is affected by the general internet outage,” says a Discord statement on the company’s status site. “Hang tight. Pet your cats.”

“This leak is impacting many internet services including Cloudflare,” says a Cloudflare spokesperson. “We are continuing to work with the network provider that created this route leak to remove it.” Cloudflare doesn’t name the network involved, but Verizon is also experiencing widespread issues across the East Coast of the US this morning. Cloudflare notes that “the network responsible for the route leak has now fixed the issue,” so services should start to return to normal shortly.

Cloudfare explained the outage in an additional statement, commenting that “Earlier today, a widespread BGP routing leak affected a number of Internet services and a portion of traffic to Cloudflare. All of Cloudflare’s systems continued to run normally, but traffic wasn’t getting to us for a portion of our domains. At this point, the network outage has been fixed and traffic levels are returning to normal.”

Source: https://www.theverge.com/2019/6/24/18715308/discord-down-outage-cloudflare-problems-crunchyroll-feedly

Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive.

When Airbnb, Netflix, GitHub, Twitter, CNN, Spotify, Reddit, and many other websites became fully or partially unavailable in October 2016, millions of users found it a mild nuisance. But for DNS provider Dyn, which was on the receiving end of massive DDoS attacks fuelled by a gigantic botnet, it caused mayhem.

This DDoS attack made it clear that cybercriminals are making bold moves that can potentially bring down the internet.

Fast forward to 2020: the impending deployment of 5G gives attackers more firepower than ever by creating easily exploitable targets they can enlist into botnets that overpower traditional DDoS defenses.

Along with experts’ warnings, available data highlights this trend. The ENISA Threat Landscape Report 2018 confirms that DDoS attacks are continuously evolving:

  • Close to 45% of DDoS attacks lasted for over 90 minutes while 4.62% of them persisted for 20+ hours
  • The average DDoS attack went on for 318.10 minutes, while the longest one continued for a stupefying six days, five hours, and 22 minutes
  • The first terabit DDoS was recorded in 2018 against GitHub (1.35Tbps), shortly followed by another one targeting Arbor Networks (1.7Tbs).

DDoS attacks have been around for 20 years, but the current tech environment is fuelling a renewed interest for them, with 5G set to play a fundamental role.

Factors that favour massive DDoS attacks in the 5G era

Security specialists cannot afford to overlook the appeal that 5G has to cybercriminals looking to make a hefty payday. Here are the factors that makes it easy for them to launch destructive DDoS attacks that put businesses at risk of complete shutdown.

1. Innovation outpaces the ability to secure it

The gap between adopting new tech and properly securing it is becoming steeper, and issue that regains prominence as 5G and AI has become a business reality.

Cybersecurity has moved from cost to necessity, but most decision makers haven’t made it a board-level priority, and attackers are fully aware of that.

2. DDoS for hire is cheaper than ever before

The cybercrime economy makes services like DDoS for hire prevalent and easily accessible. A 24-hour DDoS attack against a single target can cost as little as US$ 400. Access to cheap bots is significantly damaging to internet service providers (ISPs), as the average cost of such an attack rose to US$ 2.5 million in 2017.

3. 5G brings hyperconnectivity and expands the attack surface

While 5G has tremendous potential for growth and innovation, it comes with a huge caveat. Connecting more devices faster inevitably leads to an influx of malicious traffic. Attackers will exploit poorly secured devices and use the millions of leaked (and reused) credentials to build botnets that make Mirai look like a proof-of-concept.

The biggest risk is that large-scale DDoS attacks take down financial institutions and critical infrastructure. Thus, DDoS mitigation that can cope with attacks in the range of terabits becomes a crucial necessity.

4. Insufficient resources to tackle imminent dangers

CISOs already struggle to get resources to handle current threats while business leaders push for 5G adoption. Meanwhile, cybercriminals will take the opportunity to exploit higher capacity bandwidth that 5G provides to launch attacks on an unprecedented scale.

The companies must accept the responsibility for DDoS mitigation with consolidated security. Many companies underestimate the threat of DDoS, but 5G’s faster speeds and greater mobility will undoubtedly make attacks even more destructive. Business and security leaders must make a conscious decision to prioritize anti-DDoS measures.

By adopting custom-built solutions designed specifically to detect and defeat DDoS attacks, businesses can keep operations running smoothly. Moving focus from on-premise hardware firewalls to choosing a globally distributed network of scrubbing centers with unrivaled mitigation capacity may be a winning card in the Anti-DDoS battle.

Network operators must scrupulously monitor anomalous activity, access, and traffic patterns to curb large DDoS attacks.

CSPs must consider high-volume DDoS mitigation services and combine them with deep packet inspection (DPI) that doesn’t impact legitimate traffic or streaming quality.

It’s important to keep in mind that, once 5G is deployed, companies and individual users alike expect flawless connectivity and network performance, along with uncompromised security and privacy. In the coming years, balancing service quality with security is what will set visionary CSPs apart from the rest.

Source: https://www.scmagazineuk.com/security-concerns-5g-era-networks-ready-massive-ddos-attacks/article/1584554